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(57) ABSTRACT 

A full- featured e-mail system is used in both Internet -based 
and clienl-side (personal computer) forms. In each form, 
either basic e-mail service is provided to system subscribers 
or a secure, premium service with a uthentication . 
conceahne p^- integrity^ and non-repudiati<;)'n fiinctinns f^ r 
electronic messaging services is provided. In either form and 
at either level of service, subscribers can work off-line on 
their own computers with proprietary software loaded or, 
alternatively, on-line on any computer with an Internet 
connection. The system is interoperable, to preserve 
security, with all S/MIME compliant software applications, 
even for those users not subscribing to a service implement- 
ing the disclosed system. Digital certificates can be provided 
as a security service of the disclosed system, rather than 
requiring a second source with separate verification proce- 
dures. As additional optional features, the subscriber can 
control compression of outgoing attachment files, rather 
than having that function absent or operate in some auto- 
matic way. Decompression of such file attachments when 
received occurs automatically for subscribers, without hav- 
ing to invoke a different program or system. Interactive help 
features, book hierarchy uniformity for messages, accounts, 
certificates, virus warnings, and dual naming capability are 
also provided and available to subscribers in both the 
Web-based and the client-side application forms disclosed 
herein, and in both basic and premium service levels. 

10 Claims, 8 Drawing Sheets 
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INTEROPERABLE FULL-FEATURED WEB- sage and attachments as against modifications in transit, and 

BASED AND CLIENT-SIDE E-MAIL SYSTEM assurance against repudiation by the sender. None of these 

three added security features is available on any known 

HELD OF THE INVENTION Web-based e-mail system, although some client-side sys- 

The present invention relates to systems and methods for ^ provide them, 

providing electronic messages and other communications Many security standards and algorithms are available for 

using the Internet or World Wide Web ("Web") and a variety ^ in secure messaging. S/MIME, SSL. and X.509 sUn- 

of personal and other computers available to different sub- ^^e used in some secure client-side systems but not in 

scribers and users. known Web-based system, except that SSL (Secure 

10 Socket Layer) is used in two recently released commercial 

BACKGROUND OF THE ART products, noted below. Many security algorithms are known 

Most aU pe^ons that are engaged in commerce and/or in V^^T^^l TfT ntf Mnf n^'/^'p^^f*"! 

any sort of interpersonal relations are. by 1999. very weU ^-DES. D.ffie-Heltaan. DSS, MD5^ RC2/40. RSA. and 

f L't' -.u « •!» f r • », II • . . SHA-1: none of these IS used m any Web-based application, 

famiharwith e-mail as a form of virtually-instant, written r .l - ^ •^»^'*^ff"^»""u, 

_ * . ,1. I » . J .u 1 J «/ u " save one of the recent commercial products. That product 

communication usmg the Internet and the World Wide Web. „ „ . • r « , «t ^ r 

X* ir f I • itc J u J u uses DiflBe-Hellman and a further algorithm called Blowfish. 

Many millions of people in the US and abroad now have * 

access to computers they may use at home, at work, at Useful e-mail systems provide additional features, besides 
school (from grade-school to college), at pubUc Ubraries, at simple messaging, that are helpful and desirable. Permitting 
"cyber-caf6s", at office services centers or stores, at col- ,o ^^^^^ book(s), attachments, downloading of messages, 
leagues' offices and homes, and at myriad other places. On ^^^^ messages into separate folders are typically 
such computers they can compose and send or receive allowed on some Web-based and most client-side systems, 
e-mail messages using a modem, an Internet Service Pro- Features of cheddng multiple e-maU accounts and affording 
vider ("ISP"), and an e-mail program either loaded into the universal access from any computer are provided by Web- 
computer or provided, often free, by the ISP or another Web 25 systems but not by client-side systems. TypicaUy, 
host. Eudora(S> is a commercial e-mail program loaded onto w**^" ^^^^P o° ^ particular subject or action, they 
a user's computer (i.e., "client-side") for composing and o^^*^" assistance from a menu or sub-menu, then 
sending and receiving e-mail, aient-side programs are often ^^^^ ^®*P '*^^^"g ^® appropriate subject. Often, 
required for use at colleges, allowing students to work these help menus are inadequate or confusing or don't even 
off-line and then dial in to the central server just to upload 30 ^ ^^^^ ^^e information the user requires. Vutis warnings 
and download their messages. Hotmail® and many other naming procedures for log-in are known but not 
e-mail systems reside on servers accessed form the Internet, commonly used. 

such as those, at msn.com, and can be accessed only while Very recently, two secure. Web-based e-mail systems have 
on-line with the e-mail system server via the Internet. appeared commercially, under names of ZipLip and Hush- 
However, a user must be at his or her own computer to use 35 Mail. Both of these systems provide concealment or privacy 
the client-side application, and has no access to such e-mail features, but neither includes the three other data secxuity 
otherwise, as while travelling without the computer. Further, features of authentication, integrity, and non-repudiation, 
a user relying on Web-based e-mail can work on the e-mail They use Secure Socket Layer (SSL) security standards for 
system from any computer with an Internet connection, but encrypting messages in transit. HushMail uses the Diffie- 
only while connected to the Internet and incurring telephone ^ Hellman algorithm (which is recognized in the S/MIME 
and other charges. standard) as well as the Blowfish algorithm (which is not); 

No commercial e-mail service is known to provide both ZipLip uses none. Neither system permits message down- 
on-line and client-side services that are simUar to one ^^^^ multiple e-mail account checking, but both permit 
another in use. A need exists for a subscriber to be able to universal access from any computer with Internet access, 
work selectively either (1) from his or her own computer 45 ^pLip permits attachments, while HushMail does not. 
using personal settings, information, and files, or alterna- HushMail has address book and message folder features not 
lively and equally well, (2) from any other computer through ^ ZipLip, and ZipLip permits attachments whereas Hush- 
a server that can access the user's "home" server and still o^^- Neither system is interoperable with other 
have available the user's personal settings, information, and systems, but one must use the ZipLip or the HushMail 
f^les systems to access messages developed within those systems. 

Security is also a need for electronic messaging. Mes- Microsoft has recently offered a Web-based tool referred 
sages and attachments are typically sent between computers to as Outlook Web Access ("OWA"), as a part of the 
and servers and between servers over non-secure lines, and Microsoft Exchange server. Included already in Microsoft 
stored on intermediate servers as they are routed to their Exchange has been "Outlook Client" ("OC*), a full- 
destinations. Messages are sent in multiple "packets", so that 55 feaUired, client-side e-mail software application, which sup- 
not all of a message will go the same route to its destination poris the S/MIME standard. The OWA program permits a 
server, thus providing some inherent security in the Internet subscriber to access his or her messages residing on an OC 
system. However, messages and attachments stored on the server for sending or receiving same from over the web, but 
origin and destination servers are vulnerable to snooping by there is no access while on OWA to a subscriber's personal 
persons with knowledge of computer intrusion tactics. 60 information, files, or settings. OWA is not S/MIME 
Encryption techniques are known, whereby a subscriber compatible, so the client-side and Web-based capabilities 
may encrypt his or her text before it goes to the origin server and experiences are very different. 

and the text stays encrypted until it reaches the recipient's Thus, no known e-mail system or service. Web-based or 
computer, where it is displayed as plain text without further client-side, offers features of compression of attachments on 
action by the user. Complete security systems for electronic 65 demand, an integrated certificate authority and service 
messaging require also, however, additional features of provider, both Web-based and client-side access, an inter- 
authentication of the sender's identity, integrity of the mes- active help system, a virus warning system, and dual-naming 
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log-ins, built into the system. Rather, such features and 
functions must be accessed and accomplished if possible by 
going to other programs, slowing a user's electronic mes- 
saging procedure greatly. 

SUMMARY OF THE INVENTION 

The present invention provides a robust, full-featured 
electronic messaging system with combined Web-based and 
client-side access that works equally well both from a 
subscriber's own computer with proprietary software or 
from any other computer coimected to the Internet, with only 
very small differences in appearance and operation. Either 
way of access allows use of all features of the invention, 
including all security features noted below if the Internet 
connection is suitable. 

The present invention provides both a basic form of 
service, both Web-based and client-side, and also a 
premium, secure level of service with all four of the secxirily 
features of authentication, concealment, integrity, and non- 
repudiation, when used from the subscriber's computer or 
with a suitable Internet access. 

The present invention permits inter-exchange of elec- 
tronic messages with others that are not subscribers to the 
present system. For a subscriber to send a secure message to 
a person not a subscriber, the user need only be sure that the 
user's server and computer are set up to use the S/MIME 
protocol. 

The present invention provides additional important fea- 
tures of multiple account checking, universal access, attach- 
ment compression on demand and automatic 
decompression, integrated certificate authority and e-mail 
service, interactive help, a uniform hierarchy for books of 
messages, e-mail accounts, and certificates, a virus warning 
system, and dual -naming log-in protections. All are useable 
from the subscriber's own computer, using the software 
system of the invention, and alternatively from any com- 
puter with suitable Internet access, using a password or 
-phrase to access the subscriber's own information, files, and 
setup. 

The method of the present invention provides for pro- 
gramming both a Web-based server and a personal computer 
application with an e-mail messaging service configured to 
interact with and to shadow each other as to personal 
information, settings, and files of an individual one of said 
subscribers. The method includes steps of storing the per- 
sonal information, settings, and files of a subscriber both on 
the Web-based server and on a personal computer running 
the application. Then the subscriber may access his or her 
files o If -line solely through the personal computer and may 
alternatively access the files on-line through any computer 
able to communicate with the server. Access is then allowed 
to the messaging service via the server for a subscriber's 
sending and receiving electronic messages. 

The present invention further provides for a digital cer- 
tificate service with the messaging service. The Web-based 
form of messaging service is made secure against intercep- 
tion of messages. A subscriber can access the server of the 
messaging service from a personal computer using the 
Web-based form of service through an S/MIME compliant 
application to connect between the computer and the server. 
In a Web-based environment, a digital signatwe is provided 
to an authorized recipient, the signature verifying the iden- 
tity of the sender, the integrity of the message, and the fact 
of the sending by the sender. The user is given control over 
whether or not to compress the file size of each outgoing 
attachment to a message; for subscribers, the decompression 
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of each compressed attachment happens automatically when 
a subscriber opens it. Interactive help screens are provided 
on each subscriber's computer, both on-line through any 
computer and off-line if used through the subscriber's com- 

5 puter. Each of these help screens is displayed as it becomes 
pertinent to the task being then executed by the subscriber. 
The subscriber may turn any of these help screens on and off, 
however. AsubstantiaUy uniform book hierarchy is provided 
for messages received and messages sent, e-mail accounts, 

10 and certificates available to the subscriber. A warning of 
possible virus contamination of attachments to a message is 
provided. Dual naming capability is available in the inven- 
tion for more secure log-in, by requiring a log-in name as 
well as a user name upon log-in. 

35 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a general operating diagram of the method of the 
present invention, depicting operation of the electronic mes- 
20 saging system in different circumstances for various sub- 
scribers and users. 

FIG. 2 is a detailed depiction of the architecture of the 
system, showing functional servers and connections. 

FIG. 3 is a depiction of the chain of certificates used in the 
^ system for verifying identity of the senders of messages in 
the system. 

FIG. 4 is a depiction of the security system used in the 
invention for communications lines. 

30 FIGS. 5 through 14 are screen shots of the various screens 
used in a preferred embodiment, implementing the inven- 
tion. 

THE PREFERRED EMBODIMENTS 

The present invention combines network/server archilec- 
mre and, in one embodiment, a privacy-enabled e-mail 
application. This application, here called "EMC" for short, 
allows any e-maD service provider to offer privacy-enhanced 
4Q e-mail to its users. EMC was developed with the following 
goals in mind: 

1. The architecture must be robust and scalable in terms 
of cost and security, 

2. The architecture must provide a standard level of 
45 security in any configuration, 

3. The architecture must provide an overall security 
package to the client and the end-user, 

4. The e-mail application must be universally applicable, 
to fill any user's needs, 

5. The e-mail application should incorporate many useful 
features that are not found in currently existing e-mail 
applications, and 

6. The e-mail application should be easy to learn and use, 
55 and should provide continuous feedback to the user. 

The architecture of the invention has a minimum set of 
requirements that allow ISP's the opportunity to implement 
EMC with little or no additional overhead costs. This 
minimum set of requirements can be utilized to provide a 

60 robust platform from which to provide secure e-mail ser- 
vices. EMC attains goals nos. 1 and 2 above through the 
hardware/software specification of the EMC network. This 
network is scalable in terms of the number of servers used, 
the type of connections used between servers, and the 

65 backup capability of the servers. This underlying architec- 
ture uses state-of-the-art technology to provide the means by 
which EMC fulfills goals nos. 3-6 of the previous list. 
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The architecture of EMC was designed for three purposes: 1. Fully integrated, controllable compression/ 

1. To securely provide certificates to end-users, decompression; 

2. To securely provide a Certificate Repository, and 2. The Web-based form is capable of using privacy 

3. To securely provide the mail server for the e-mail enhancements as provided by X.509 certificates; 
applications specified for use with EMC. 5 3. A context-sensitive Interactive Help Panel for interf ac- 

These three purposes are met by the architecture ing continuously with the subscriber as the program is 

specification, which provides these services securely by used; and 

strategically using firewalls, secure routers, public key 4. A "Book" system as is typically applied to e-mail 

encryption, and specific authentication protocols. This address organization in other e-mail applications is 

design offers an overall security package for the service lO extended to organize message lists, accoimt lists, and 

provider and the end-user. Fulfillment of these goals is certificates. 

achieved through implementation of the e-mail application Several of the above features merit discussion. First, most 
as in the implementation and system deployment example of e-mail applications (Web-based or client-based) do not 
RG. 2. provide the end user with optionally useable compression/ 
As shown in the system architecture diagram of FIG. 2, a is decompression tools. Rather, the user must manipulate the 
subscriber to EMC will use a Web browser of recent vintage file to be compressed/decompressed in an application sepa- 
in conjunction with Java and other applications on his/ber rate from the e-mail. A few e-mail applications automatically 
own computer, whether a desk-top PC, a laptop PC, an compress outgoing message attachments that are of a par- 
Apple machine, a workstation, etc. The application, in any ticular size and/or quantity, but the feature cannot be turned 
of various forms available, contains all the functionality of 20 off or varied. The present invention integrates compression 
the client-side EMC program, loaded to the bard drive of the technology and places control with the end user or sub- 
subscriber's computer as from a CD-ROM or down-loaded scriber. 

and saved for execution from the Internet. The mail server The privacy-enhanced Web-based e-mail feature, at a 

and the Web/Application server cooperate at the server level premium level of service above a basic level, should provide 

through Servlets as shown to provide the functionality 25 all four of the important attributes of security: concealment 

needed at the server level, and to cooperate with the sub- of the message contents against snooping by others, integrity 

scriber through the browser as controlled through the EMC of the message as against changes in what the sender sent, 

application, as embodied in Java or a similar language. The authentication that the person or user named actually did 

Application and the e-mail server cooperate with a Certifi- send the message, and non-repudiatability by the sender that 

cate Authority to generate a certificate for communications 30 the message was indeed his or hers, 

and to keep that certificate for use when needed by the The program warns when messages or their attachments 

application either at the computer or the server level. Com- may contain viruses, worms, and other undesired programs 

munications among the different entities are conducted over that may harm the computer or its files. The user can then 

lines secured by the various protocols shown, or others of take appropriate action, including scanning with a detection 

similar effect. 3S program to confirm the presence and type of virus present. 

In order to create universal appeal, the e-mail application and to destroy the virus identified, by then taking appropriate 

provides two implementation forms and two levels of ser- further steps. 

vice. The first form is a Web-based implementation that uses The program further permits increased security by adding 

disU-ibuled computing technology to provide e-mail service a further layer of name protection. Currently, the user name 

without downloading by the end user. The second imple- 40 and log-in name are the same, although they need not be. 

mentation form is an application that is loaded on or EMC is set up to require separate entry of the user name, 

downloaded to the subscriber's personal machine and run log-in name, and password. 

locally. The ability to offer the two complimentary forms for The Interactive Help Panel of the invention extends the 

implementation is paramount to EMC's goal of providing known concept of such computer aids. The Interactive Help 

robust e-mail services. The Web-based form permits sub- 45 Panel continuously displays to the user suggestions and 

scribers who do not have their own computer, who travel, or "tips" for the current action the user is performing. Thus, the 

who otherwise use different computers to access and use Interactive Help Panel is context sensitive, i.e., it "knows" 

these e-mail services. The client-side application is used by where the user is in the program and what the user is trying 

subscribers who do not want to be onUne for long periods for to accomplish, and it continuously offers instruction on how 

composing and reading messages. The ability of a single 50 to complete the task. 

subscriber to use either of these implementations The invention offers a "book based organization" that is 

alternatively, on the same account, provides universal access modeled upon the conventional address book. Received/ 

to versatile e-mail services. draH messages, user accounts, and digital certificates are. 

The Web-based form of the invention uses distributed according to the invention, organized as separate "books." 

computing technology to provide full-featured e-mail ser- 55 Thus, EMC provides an Address Book, Account Book, 

vices to an end-user subscriber from any suitable computer Certificate Book, and a Message Book. This innovation 

that is connected to the Internet and has an Internet browser. provides the subscriber with a familiar way of viewing 

Currently, full-featured e-mail with privacy enhancements is different information. 

available only in those e-mail applications that are run on the Cryptography is the process of hiding information; that is, 

end-user's local machine. The drawback of this approach is 60 when something is encrypted it is rendered unreadable to all 

that the user needs to be at that machine in order to use the but certain people who are able to see the underlying 

e-mail application, and thus have all the expected e-mail information. Two types of encryption are used today: public 

features and also secure communications. The Web-based key and private key. Private key cryptography requires two 

form of this invention provides secure communication to or users to share a secret key (i.e., only they know what the key 

from any place the subscriber is located. 65 is) and makes use of this common knowledge to hide 

The two forms of the invention have the following correspondence and other data from would-be eavesdrop- 

features that are unique to EMC's architecnire: pers. Public key cryptography provides each user with two 
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keys. One key is publicly available, and the other is kept broken by brute force. However, 3-DES has not yet been 

privately (i.e., no one else knows the key's value). In public broken. The most common public key cryptosystem is the 

key cryptography, concealment is achieved when one user Rivesl, Shamir, and Adleman algorithm ("RSA"). It has not 

encrypts a message using the intended recipient's public key. yet been broken, and is as strong as its key length (similar 

The recipient can then use his or her private key to decrypt 5 to DES in this respect). 

the message. No person can decrypt the message except the A somewhat less powerful public key cryptosystem, pres- 

user who possesses the private key that corresponds to the ently useful for export purposes, is RC2/40, by the devel- 

public key with which the message was encrypted. opers of RSA. It works with a 40-bit key, and is not 

Qient-side e-mail messaging systenos may use both pub- considered secure. However, it can be exported without 

lie and private key encryption to conceal messages. This is lO consent from the US government because its key length is so 

primarily because public key encryption is much slower than short. 

private key encryption. As a resuU, a secret key is randomly Digital signatures are achieved by using a specific 

generated and used to encrypt the outgoing message. Then, algorithm, and always use public key cryptography as a 

the secret key is encrypted with the public key cryptosystem, foundation. The Digital Signature Standard ("DSS"), also 

and the encrypted message is sent with the encrypted key. 15 known as Digital Signature Algorithm ("DSA**), is specified 

By themselves, cryptosystems are inadequate in the sense in FIPS PUB 186-1. The DSAdoes not, however, sign the 

that anyone can encrypt a message to send to someone else entire message. Rather, a message digest or hash is first 

without proving their identity; that is, it would be easy to created using a particular algorithm. Message digests are 

forge an encrypted message to someone else. Requiring the formed in fixed lengths and derived &om an arbitrary length 

use of digital signatures, below, combats this possibility. 20 message in such a fashion that no two unequal messages will 

A digital signature is a piece of information sent with a result in the same digest. DSA first computes the message 

message that proves that the message originated fiom a digest of the message it wishes to sign, then encrypts the 

particular person. It is analogous to a written signature, and resulting hash value with the private key to create the 

is, in some situations, considered to be legally binding. signature. This signature is then appended to the message 

Digital signatures serve for non-repudiation as well as 25 and sent as usual. 

verification functions. Two message digest algorithms are important here. The 

The use of digital signatures and public key cryptography first is MD5, developed by Ron Rivest (of RSA fame). MD5 

is powerful; however, it does have its flaws. If used without produces a digest quickly, but not necessarily very securely, 

the proper structure, there is no way to identify the indi- as it has some known weaknesses. The second, and more 

vidual sending a message. In fact, anyone could sign and 30 important, hashing algorithm is the Secure Hash Algorithm 

encrypt a message without ever revealing his or her identity ("SHA"). SHA is specified in FIPS Publication no. 180-1, 

A digital certificate enables an individual sending a message and has no known weaknesses. SHA takes slightly longer to 

to prove his/her identity, at least partially. A digital certificate process information than MD5; however, the trade-off 

contains a user's public information and a signature from a between time and security is well worth the wait, 

certificate authority (e.g., VeriSign, Inc.). DigiUl certificates 35 Furthermore, SHA is specified to work with DSA and the 

and their use are standardized in the X.509 standard. When forthcoming ECDSA, below. 

digital certificates are used, there is little question of validity. The state-of-the-art of digital signatures and cryptography 

non-repudiatability, and integrity of sent messages. relies upon elliptic curve cryptography ("ECC), a public 

In sum, there are four basic security issues in electronic key cryptosystem. ECC offers greater security at a substan- 

communications: concealment, integrity, authentication, and 40 tially lower key length than RSA or other public key 

non-repudiation. The solution to these problems is referred cryptosystems. There are currently two identical draft stan- 

to as full digital security The application of cryptography in dards (IEEE P1363[12] and ANSI X9.62[l]) that define the 

its variotis forms addresses each of these concerns; however, DSA for elliptic curves (ECDSA). Elliptic curve 

the application must be appropriate for these concerns to be cryptography, given its strength-to-key-length-ratio, is the 

properly addressed. Digital signatures, if used properly, 45 future of cryptography, and existing standards, such as the 

provide non-repudiation, authentication, and data integrity X.509 certificate standard, will aspire to accommodate vari- 

Encrypting an entire message provides concealment. By ous ECC algorithms in the future. 

using encryption and digital signatures properly, one can As an additional note, the National Institute of Standards 

achieve a secure communication foundation with the only and Technology ("NIST*) is seeking a replacement for DES. 

potential risk, besides the compromise of privately guarded 50 This replacement will be selected fi-om a pool of 15 candi- 

information, e.g., private keys, being brute force attacks, but date algorithms currently under review. The replacement is 

this depends largely upon the cryptosystem being used. already known as the Advanced Encryption Standard 

Several cryptographic algorithms are widely used loday. ("AES"). AES is expected to be finalized early in the year 

The most common private key cryptosystem is the Federal 2000. 

Government's Data Encryption Standard ("DES") as speci- 55 The Secure Multipurpose Internet Mail Extension ("S/ 

fled in Federal Information Processing Standards Publica- MIME") protocol provides a secure overlay for the Internet 

tion ("FIPS PUB") 96. DES is a private key cryptosystem, mail standard MIME. MIME is an Internet standard docu- 

which means that any two parties wishing to communicate mented in RFC's 2045-2049, providing extensions to the 

securely must share a common key. The data to be concealed basic e-mail standard RFC 822. These extensions provide 

is encrypted with this key, sent, and then decrypted with the 60 for greater flexibility and interoperability of existing e-mail 

same key. A variant of this standard is referred to as applications as well as expanding the type of data that can 

triple-DES or "3-DES'*. 3-DES typically uses two keys and be sent via e-mail. Secure MIME provides the capability to 

three rounds in the following manner: first, the message is use certificates and a variety of cryptosystems. Currently, 

encrypted with the first key, then the result of the first round S/MIME supports the following cryptographic mechanisms: 

is decrypted with the second key, and, finally, the result of 65 SHA-1, MD5, DSS. RSA, DifBe-Hellman, 3-DES, RC2/40. 

the second round is encrypted with the first key. DES, which These cryptographic algorithms comprise a good set of 

is specified to have a key length of 56-bits, has recently been cryptographic tools. 
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S/MIME provides a universal cryptography tool kit with Each local network using a Kerberos authentication sys- 
which a user can enhance the privacy of e-mail correspon- tem can be scaled with other networks implementing Ker- 
dence. S/MIME is specified for using the X.509 v3 certifi- beros. Each network is called a realm, and the multiple 
cate standard, and uses this standard as a basis for forming networks implementing Kerberos are referred to as Kerberi. 
trust among individuals. A centraKzed authority issues these 5 jhat each reahn can interoperate with the other is useful for 
certificates, thus providing a verifiable path of trust. obvious reason that several smaller, modularized net- 
Central to many Internet seivices is the issue of user ^qj^s can communicate securely, 
authentication Authentication here refers to the ability to ^h,^ ^^^^ ^^^^^ kerberos in use. and 
detcrmme that a sender is who he/she clauns to be, m that r^r^^^*;„» fr^r ™^*.r *o/^«ta«^ t^^o- ,« 
the sender is bound to the name used. A subde distinction ^<^yar^ compeUng for wider accepUncx.^T^^ 
exists between this definition and other uses of Kerberos y4 and Kerberos v5. W 
"authentication", which may rather require proof that a ^"^^ ^f. objecUves arc the same. Veision 5 offers 
user's identity is not false. Here, authentication only binds a flexibdity as to the environments m which it can be 
single, unique user to the user name. That is, the user name appued by enabling Tickets with more extensions than those 
relates to a particular person, who may remain anonymous. v^^'"" ^- ^ specified to use Kerberos v5. 
To authenticate the identity of an individual to whom a Certificates adhering to the X.509 standard are those that 
usemame belongs requires physical presence of that indi- issued by a granting authority for use in secure e-mail 
vidual. and digital signatures. The X.509 standard has several 
For a subscriber to log-on to EMC, a separate (i.e.. different versions, the latest of which is version 3. Version 3 
non-certificate-based) authentication procedure is used. contains extensions that are not found in the previous 
employing pubhc key cryptography in accordance with FIPS 20 versions and allows for greater messaging flexibility. Aside 
PUB 196. ("Entity Authentication Using Public Key fi^om defining the specific content of certificates, the X.509 
Cryptography"). Once the user is logged into the service, all standard also seU the stage for Certificate Authorities and 
requests are performed with Kerberos wrapped in IPSec how they are to implement the use and issuance of ccrtifi- 
protocol. cates. More precisely, X.509 specifies that an issuing autbor- 
Kerbcros is an authentication protocol that can be utilized 25 ity must create a Certification Practice Statement, which 
by subscribers and other entities requesting services on a ^^^^ various poUcies pertaining to the issuance and use of 
network. It is said to be scalable, but for the purposes of ^ certificates 

EMC, it needn't extend past a simple protocol level. Ker- Unfortunately, ihe above practice allows for wide policy 

beros uses pubhc key crypto^aphy to authenticate users ^^^^^^ between different issuing authorities. However, at 

r 30 least two groups are currently working on extending the 

I^^i^ ^ . ^ • r « • * , X.509 standard to close some of the "holes" that are left to 

Kerberos was designed with the followmg implementa. ^^^^^ ^ p^^.^^ ^ ^^^^^^ ^^^^^^ p^^^j^^ 

tion goals: p^^^^^ j^^y Information Exchange ("PKIX") is a work- 

1. Secure: An eavesdropper should not be able to obtain draft of the Internet Engineering Task Force and wiU be 
any information that would aUow impersonation. Ker- 35 ^ superset of X.509. Another group, the Meta Certificate 
beros should not be a weak link in the security chain. (jroup. is also seeking to expand on the X.509 standard. 

2. Rehable: Kerberos should be unplemented with redun- when the working drafts ar« implemented as sUndards. 
dancy in mind, to prevent denial of service attacks. those entities employing X.509 certificates will easily tran- 

3. Transparent: Ideally, the user/entity being authenticated sition to the new standard of choice. 

should not be aware that authentication is taking place. 40 FIG. 3 represents a certificate chain that validates various 

with the exception of a necessary user password. certificates. The notation X«Y» is defined in the X-509 

4. Scalable: Kerberos was designed for a distributed, standard, and is read as X signs Y. The root must be a 
modularized world. Certificate Authority. There can be many trees with many 

Thus, the model is scalable to numerous clients and roots in existence and they will all be able to certify each 

servers. 45 other, provided that each root has signed the root of the other 

This authentication scheme is typically used for user trees. That is to say that if two trees, say A and B, have 

authentication, but is suitable for entity authentication as distinct certificate chains and the CA (root) of each tree has 

well. An entity is defined to be a process or server thai signed the other CA's root certificate, any certificate on 

requests service from another process or server. either tree (A or B) can be verified by any other certificate 

A Ticket is similar to a certificate and contains informa- 50 on either tree (A or B). 

tion about the entity making the request and the nature of the A Certificate Authority ("CA") provides a trustworthy 

request, Kerberos is designed to virtually eliminate any ccrtificatechaintousersof the Internet. Certificates typically 

compromise of passwords and private keys, replay attacks, conform to X.509 standards. Furthermore, CA's are 

and other potential security risks. This does not mean, required, as stated in X.509, to create a Certification Practice 

however, that Kerberos is flawless. Kerberos relies upon 55 Sutement ("CPS"). The CPS is what defines a CA and its 

time synchronization between servers. If an attacker could offerings. VeriSign, a PKI corporation that provides three 

somehow fool a server into believing the time was different levels of certification in a class system, provides the best 

than it was supposed to be, then the attacker could circum- example of a CA. The three certificate levels that VeriSign 

vent Kerberos. No authentication protocol is completely offers are class 1, class 2, and class 3. Class One certificates 

flawless. 60 have the lowest secure authentication, and Class Three 

On a basic level, the entity requesting a service sends a certificates have the highest level, 
request to the authentication server, which replies with an A CA should have differing levels of certificates; 
encrypted Ticket. The Ticket is decrypted by the entity however, a three-tier class structure seems to be too con- 
applying for services, and then sent to the TGS. The TGS fusing and complicated for EMC's purposes. Certificates 
then replies with a Ticket for the particular service requested 65 provide for secure e-mail and non-repudiation: however, the 
and that Ticket is sent to the server from which services are true identity of the user on the other side of the communi- 
requesied. cation is still unknown. Thus a two-tier class system should 
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be all that is oecessary. The lowest level of security a e-mail address or password, whereas the higher level of 

certificate should offer is that which binds an e-mail address verification binds the certificate, the e-mail address, and the 

and a credit card account to the user applying for a oertifi- actual identity of the individual. This is not necessarily 

cate. There is no guarantee that no credit card firaud is taking foolproof, as an applicant presenting false identification to 

place, thus identity is not absolutely proven. 5 the notary public or other officer could circumvent even the 

The second, and higher, class of certificate guarantees highest level of verification, 

authentication of the user's true identity via physical idcn- The EMC hardware architecture provides secure e-mail 

tification. This means that the user applying for a level-two services from a safe, yet flexible source. Consideration is 

certificate needs to be identified with proper credentials (i.e., given to security, authentication, validation, and ease of use. 

a passport or driver's license) by the CA or a licensed lO The Architecture may consist of several servers: mail, cer- 

signatory. A particularly easy method of achieving this goal tificate authority, web/application, and a servlel server (as 

would be to have the user download and print a legally shown in drawing FIG. 2). All servers communicate with 

binding document (the document can contain a digital Kerberos authentication wrapped in IPSec protocol, as in 

watermark to protect the integrity of the document) that the FIG. 4. 

user can sign in the presence of a notary public or other 15 Secure communication between servers is accomplished 

official The document is then physically sent (by courier or by using IPSec, an Internet security protocol applicable to 

mail) to the issuing CA for confirmation. The approved local area networks. IP Security ^ecification is complex, but 

applicant would receive the issued certificate in one of two is well documented in the following RFC standards released 

ways. The certificate would either be distributed via pass- by the Internet Engineering Task Force: 

word authenticated secure Web download, or it could be sent 20 RFC 1825: An overview of a security architecture* 

via certified mail or by some other trusted courier. RpC 1826: Description of a packet authentication exten- 

A Certificate Authority has several issues with which to be g^^^ jp. 

concerned. First is the concern over the secure delivery of Dcr« iot7 A • *• r i * *• . • 

. . . r *L 1 * * -m.- » • . *u RFC 1827: Description of a packet encryption extension 

pnvate mformation over the Internet. This pertams to the to IP* 

distribution of approved certificates of any security class. A 25 r»™ ^o*«o 

secure connection, either via a new dial-up number or via a ^ aulhenUcation mechanism; and 

secure Web page using SSL, must be esUblished and appro- ^^29: A spcdhc encryption mechanism, 

priately used to distribute a new certificate. Second is the ^h^ speafication for IPSec is known to those of skill in 

concern over the validity of the claim of identity made by an Differences exist between communications between 

applicant. In other words, is the applicant really who he/she 30 servers and communications between a server or ISP and a 

claims to be? Unfortunately, without physical appearance "^r. The communication between the server and the user 

and credential checks, there is currently no cost-effective (^-S ' sending e-mail) is handled by Kerberos, and the 

method to achieve valid authentication of identity by digital- underlying communication between servers is handled with 

only means. Third is the plausible lifetime of a certificate. IPSec. See FIG. 4. 

By some mathematical models, the lifetime of a root cer- 35 security redundancy helps eliminate "sniffers" and 
tificate should only be about two weeks. By practice ^^^^^ would-be atUckers from snooping on communica- 
standards, however, the root certificate lasts for a year or Purthermore. Kerberos virtuaUy eliminates replay 
longer. attacks, regardless of the underlying communication secu- 
The' architecture of the present invention relies on each "^V- Perhaps the best way to understand the way different 
operator of the system (e.g., each ISP) being either an 40 l^veU of security are engineered is to think of requests for 
Issuing Authority (granted a license by the ultimate CA), or service as bemg Keri)eros, and communication of those 
being the CA itself. The Certification Practice Statement requests as bemg handled by IPSec. 
("CSF-) of EMC's architecmre requires that varying levels ^^C servers are functionally different from one 
of true authenticauon be provided in a two-tier system, and another, thus each server has different operating require- 
that key generation, root certificate generation, and destnic- 45 ments. The optimal operational requirements, as presently 
tion of keys and root certificates be done on a FIPS 140-1 known, for the servers are listed below with brief justifica- 
level four approved computer. Moreover, the CPS provides ^^o"^- '^^^^e requirements are necessary to meet EMC's 
requirements for setting up the certificate service when secure specifications: 

implementing the EMC architecture. That is, when autho- TGS: this server should be a dual processor (quad 

rization is licensed to any issuing authority, the authority 50 capable) system running a B2 trusted operating system, 

must provide proof that the architecture of EMC is in ™s is the server that grants Tickets to requesting 

conformance to security guidelines as specified in the archi- entities. High processing speed is a requirement in that 

lecture layout and in the CPS. These requirements provide server is often asked to do a lot of work in a short 

for cohesion among those issuing authorities affiliated with amount of time. 

the certificate authority. 55 AS: this server also should be a dual processor system 

Essentially, the CPS is the central controlling point for running a B2 tmsted operating system. The authenti- 

EMC and is the doctrine by which EMC is implemented. cation server need only be applied to once per session 

The familiar VeriSign Certification Practice Statement pro- when using Kerberos v5, thus the server must be at 

vides an adequate foundation from which extensions can be l^ast as fast as the TGS, and the TGS must be at least 

made to provide a more comprehensive, authentication- 60 as fast as the AS. The trusted operating system is 

friendly service. EMC provides two "levels" of confidence necessary because this server provides entity authenti- 

when generating its certificates. The lower level of confi- cation, 

dence verifies the user's identity via digital information, and PKS: this server should have dual processors, is qua- 

the higher level of confidence requires the user to sign a druple processor capable, and is highly expandable in 

legal document in the presence of a notary public or similar 65 the number of hard-drives it can accommodate. It is 

officer for personal identification verification. The lower important that this server be "hot swappable" so that 

level of verification only binds a certificate to a particular new hard -drives can be added without an interruption 



01/05/2004. EAST Vf^rsion: 1.4.1 



us 6,356,937 Bl 



13 



14 



of system service. Because this server houses the 
Certificate Revocation List, it, too. runs a B2 trusted 
operating system. 
Mail: the mail server should be a quadruple processor 
machine with hot swappable disk expansion. Much 5 
information is continually changing on the drives of 
this machine, thus the processing speed needs to be 
high. Of similar importance is the level of the operating 
system for the mail server. As with the other servers, 
this server also uses a B2 trusted operating system. The jq 
combination of speed, flexibility, and tnistwonhiness 
creates an environment that is conducive to good 
business. 

KCGS: this is the most critical server. This server must 
conform to level four security levels as specified in 15 
FIPS PUB 140-1. Furthermore, each of the two 
required machines should contain dual processors and 
be quad processor capable. There are periods when 
these machines are required to generate much math- 
ematical data in short amounts of time; thus the pro- 20 
cesser speed is of the utmost importaDce. Storage 
space, however, is not a large concern. Sufficient stor- 
age is necessary to store any cryptographic files that are 
necessary for generatirig digital certificates. 
Firewall: the firewall server is also of critical importance, 25 
whether there is a single firewall or a dual firewall 
configuration. The firewall is responsible for "filtering" 
incoming traffic as well as releasing outgoing traffic. As 
such, the firewall should be run on a quad processor 
machine. The firewall requires little in the way of 30 
hard-drive space, but a substantial amount of RAM. 
The firewall(s) conform to the B2 trusted system status. 
Public Access: the public access server should be a dual 
processor machine. This server is the central location 
from which individuals check publicly available infor- 35 
mation and/or apply for digital certificates. The amount 
of hard drive space required by this server depends 
largely upon the amount of information to be stored on 
it. Because the Public Access server acts as an access 
point to critical server processes, e.g. certificate 40 
generation, it must reside on a B2 trusted system. 
The above represents general requirements for the various 
servers to be provided in any given implementation of EMC. 
Each server should run on a B2 trusted operating system (as 
specified in the Department of Defense "Trusted Computer 45 
System Evaluation Criteria"). The amount of Random 
Access Memory ("RAM") is commensurate to the duties 
and processing needs of the particular server. Because some 
of the servers may be doing more or less work than others, 
the amount of RAM necessary varies between implementa- 50 
tions. Similarly, the amount of hard disk storage needed to 
be available to each machine must be determined for each 
system, individually. Some servers, such as the mail server 
and PKS. require substantial amounts of space depending on 
the number of clients the particular implementation will 55 
support. 

Where applicable, the server is highly expandable and/or 
extendable. As an example, the mail server will have the 
capability to expand as its user base grows. Once a mail 
server is at full capacity, another such server will need to be 60 
implemented, or a larger server will replace the existing one. 
In addition, each server must adhere to the requirements for 
server communication and entity authentication (IPSec and 
Kerberos). 

The EMC e-mail application is available in two forms: 65 
Web-based application and client-side. The basic function- 
ality of each implementation is the same. 



The application is designed to operate as either an applet- 
like program that extends to the user's computer and is run 
through a Web browser, or as a downloadable application 
that runs exclusively on the user's machine. The application 
contains the following list of features to provide a compre- 
hensive and unique product. The following basic functions 
are found in both implementations: 

Users can receive mail from any existing POP3, IMAP, 
SMTP, etc. account; 

Vacation reply ability; 

Improved Address and Message Books; 

Spell checking capability of outgoing messages; 

HTML anchor linking (ability to invoke the default 
browser); 

Multiple addresses, e.g., for various members of the 
family (secure communication with separate certifi- 
cates only); 
User definable appearance (e.g. wallpaper); 
The ability to mark read messages as "new" ; 
Read messages are automatically downloaded to the 
user's machine after a specified amount of time; and 
Print capability from the application. 
Each implementation requires different handling of func- 
tionality in order to emulate these features; however, the 
differences between the overall look and feel of each imple- 
mentation should go largely unnoticed by the subscril7er. 
The e-mail application is designed to implement S/MIME 
messaging utilizing X.509 certificates. 

The cryptographic modules in EMC are of security level 
four quality as defined in FIPS PUB 140-1: 
"A Level 4 cryptographic module provides an envelope of 
protection around the cryptographic module. The intent 
of Level 4 protection is to detect a penetration of the 
device from any direction (rather than just attempts at 
the cover or door covered by Level 3 requirements) and 
respond by destroying critical information before it can 
be acquired. For example, if one attempts to cut 
through the cover of a cryptographic module, the 
attempt would be detected and all critical security 
parameters would be zeroed. Level 4 allows software 
cryptography in multi-user, multi-tasking systems 
when a B2 or equivalent trusted operating system is 
employed. A B2 operating system provides a large 
number of assurances of the correct operation of the 
security features of the operating system." 
Essentially, the cryptographic module containing the soft- 
ware that produces authentication keys, certificate 
information, root keys, etc., should reside on a level B2 
operating system. This makes reference to the Department of 
Defense Trusted Computer System Evaluation Criteria 
("TCSEC, or "The Orange Book"). In addition to providing 
extra detection, environmental controls must be placed on 
the module. That is, the module should be able to check 
environmental conditions (i.e., heat) and to zero essential 
information upon experiencing threatening conditions, e.g., 
too high a temperature, or the module should be rigorously 
tested against such conditions. 

The architecture of the EMC system provides security 
level four for the creation of digital certificates. This means 
that the machine, software, and any related hardware or 
software that is involved with the generation of keys, prime 
numbers, or any other portion integral to the creation of a 
digital certificate resides on a machine that meets the 
requirements to be certified for level four security as speci- 
fied in FIPS PUB 140-1. 
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The EMC architecnire uses a rich array of cryptographic. The fcllowlDg outliDCs present the application features 

authentication, and other protection protocols. Most of these from the user's point of view. Each major feature is listed 

varying protocols have been standardized. These standards with its sub-features below, and is followed by a paragraph 

will undoubtedly evolve. Each standard chosen for its par- further explaining the features' intended purpose and their 

ticular duty promises to evolve nicely and evenly, thus 5 importance: 

providing EMC with a probable vertical evohilion of its The Log-In functions: 

. 4- ,1 . J * - J ... 0.1 User's Name 
This mventioD is designed to provide users with secure 

message transmission via the X.509 certificate standard as ^ ^ Log-In Identification 

implemented with Secure Multipurpose Internet Mail Extcn- lO 0-3 Password or Pass-phrase 

sions ("S/MIME"). 3-step long-in requirement afiFords an added level of 

This invention has many distinct features and function- security for a user. Normally the User's name is used as the 

alities. The invention is designed so that an Internet browser Log-In identification, but this need not be so. 

can run one form of the e-mail service, or another form can The Send Messages functions: 

be loaded onto a user's local machine to be run as a standard is i.i Address Lookup 

application. Sufficient information is supplied in this speci- ^ 2 File Attachment 

fication to allow a developer to implement the invention. " 

The features are listed in a hierarchical fashion, thus ^P®" Message Body 

providing a developer the necessary background to suffi- 1-^ Compression Attachment(s) 

ciently modularize the implementation. The modularity pro- 20 13 Encrypt Message 

vides for easier coding and testing of the features contained i.g Digitally Sign Message 

in the application. The invention is described from the user's The user needs to have the abiUty to send messages. Sending 

pomt of view, thus providing invaluable insight for the messages involves composing a message, selecting an 

developer. If consideration is always given to the user, then address to which the message is to be sent, atUching media 

the final product wm be a good one that users will enjoy and 25 files, encrypting/signing the outgoing message, and, if 

appreciate using. applicable, compressing any of the attachments to the mes- 

This invention IS an e-mail application consisting of many sage. The composition feature is inherent to all e-mail 

common e-mail features, as well as some invaluable new appUcations. The application provides message composition 

ones. The major features of the e-mail application are listed with all of these features. 

•'^ The ability to compress outgoing message attachments 

Send and Receive messages, and Reply to and Forward from within the e-mail application is a unique feature of the 

messages application in that the compression is handled entirely by the 

Stop or initiate vacation response program application and relies on no external application. 

Inbox modification The Receive Messages functions: 

E-mail Account book modification 2.I Add Address to Address Book 

Application appearance modification 2.2 Save Attachment(s) 

Enable or disable signature appendage 2.3 Decompress Attachment(s) 

Address book modification o >i \/ c. r-.- •* n o- j 

Message fillers ^ 2.4 Verify Digitally Signed Messages 

Virus warning 2.5 Decrypt Messages 

Dual naming ^"^^ Warning for Message Attachments 

These are the primary features that create the functional When receiving messages, the appUcation displays the infor- 

foundation for the e-mail application. These features are important in describmg the message(s), the content 

further enhanced by adding the use of digital certificates 4S message(s), and the size of the message(s). This 

(X.509 ), a built-in compression utiUty, and the overaU dual "^formation is referred to as the header information of the 

functionality of being able to run through a browser or as a message(s). At first, only the header information is retrieved 

stand-alone application. ^^^^ ^^^^ ^^^^ displayed lo the user. When the user 

This application is designed with two general environ- ^^^^ ^ message to be read, then the complete message is 

ments in mind. The first environment is that of an Internet 50 downloaded and displayed to the user Furthermore, atlach- 

browser, such as Netscape Navigator In this sense, the ^^'"S^ ^''^ provided pnor to download. Some incom- 

application is to run through the browser in order to get to messages may be encrypted, digitally signed, and/or 

the user. The modular design of the application provides for compressed. The application automatically performs 

simple transition between Web-based application usage and decryption, digital signature venfication, and/or decompres- 

the second environment. 55 ^ necessary. 

The environment first discussed is that of the Windows/ application's ability to automatically handle corn- 
Intel environment pressed files is a unique feature. The application also decom- 
This section lisU the features of the application in detail. Passes incoming attachments that have been compressed 
The format is an outline that places each feature either as a instance, the gzip algorithm, 
top feature of the application, or as a sub-feature of another 60 ^^^^ Message Book functions: 
feature. The highest features are those with the lowest 3.1 Add New Folder 
number. These initial features are described as "level zero", 3 2 Delete Existing Folder 
and each successive level of sub-features increments this ^ ^ Com R 1 M 
count. As an example, level four would be a feature located ' 

five tiers "down" in the hierarchy. The feature listing can be 65 ^ Manipulate Message Status 

viewed as an upside-down tree where the root of the tree is ^-^ Order Messages in Particular Folder 

at the top. In this case, the root of the tree is the application. 3.6 Archive FoIder(s) 
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3.7 Delete Message(s) 7.4 Item Placement 

3.8 Save Originator information 7.5 Delete Folder 
The application provides a rich set of tools that the user can 7.6 Delete Address 

employ to organize messages. The message folders are The address book is an important feature of any e-mail 
displayed to the user in a three-folder format. The three main 5 application. The application presents the user with a clean, 

folders are the inbox, the sent folder, and the draft folder. easy-to-use interface for creating, storing, and manipulating 

The inbox contains all messages received by the user, the e-mail addresses. Each address is treated as a business card, 

sent folder keeps a copy of all messages that the user has or data sheet, and contains the addressee's name, e-mail 

sent, and the draft folder contains those messages whose address, telephone number, fax number, house or business 

composition has been commenced but not yet completed. In address, and notes about the addressee. Each of these 

addition to these primary folders, the user can add new address card fields are provided by the user, or taken from 

folders as sub-folders. Any created message folders can be a received message, i.e. an e-mail address. In addition to 

deleted and easily moved to a new location. This provides providing individual address organization, the application 

for organizational flexibility such that the user can create a provides the ability to create folders to hold addresses. The 
customized message folder hierarchy. ^5 folders can be used in such a Way that they group those 

The Modify Account Book functions: addresses with something in common. For example, a par- 

4.1 Add E-mail Account ticular user may have several friends, business associates, 

4 2 Delete E-mail Account family members with whom they correspond via e-mail. 

43 Set Default E-maU Account(s) ^ "'^'''T ^^^^"'.^f ^ °^ 
ly^^wmi tj iuau r^^uuiy^j 20 correspondent— a folder for friends, a folder for business 

4.4 Get Messages from E-mail Account associates, and a folder for family members can be created. 

4.5 Create Account Folder The Modify Filters functions: 

4.6 Delete Account Folder 8.1 Create New Filter 
The user is given the opportunity to check all existing e-mail 8.2 Delete Existing Filter 
accounts through one server — the application's mail server. gj Modify Existing Filter 
The method in which it is presented to the user is unique. § 4 Create Inbox Folder 

The user's accounts are organized in an account book. This ^ advanced feature of many e-mail appUcalions local to the 

account book holds, in addition to account information, ^^^^^ machine is the ability to filter incoming messages, 

information that instructs the appUcaiion if the user would ^an create a filter that applies a rule to incoming 

like the accounts to be automatically checked, or manually messages. Messages that pass the tests set up by these rules 

checked. Thus, the user has complete control over what ^i^^cd into the designated folder contained in the 

e-mail accounts are checked and when they are checked. The j^box. The ability to create message fillers requires the 

account book better organizes the various accounts a user ability to create folders in the Inbox directly from the filter 

may have by providing the ability to group accounts into ^^^^ ^ase the folder hasn't already been created), 

folders, and to provide the user with a clean interface with j^^, Vacation Reply functions: 

which to access other accounts. g j ^^^^^ ^ 

The Modify Appearance functions: ^ ^ Modify Reply Message 

5.1 Alter Background Picture 9 3 ^^^^^^ ^^^^^ 

5.2 Import Background Picture 40 "Vacation reply" is a feature that can be activated or deac- 
Many users have different tastes in music, entertainment, livated as the user desires. A user can use the vacation reply 
food, and many other activities. Users of the Internet, and program on the mail server to respond to incoming messages 
thus e-mail, comprise the most diverse of all communities. while the user is away. If the user is on vacation, or out of 
The application provides the user with the ability to set town for a few days, the user can enable the vacation reply 
visual preferences when using the application. Several back- 45 program from the application, tell the program what the 
grounds are available as well as poster cards, note cards, and reply is to be, and then turn it off when they return. As an 
other graphical designs. Furthermore, the user can import an advanced feature, EMC's reply program understands the 
image that he/she wishes to use. The application is com- concept of time, and can be preset to disable itself. Reply 
pletely customizable, giving users the feeling that they messages sent by the vacation reply program cannot be 
"own" the application. 50 signed or encrypted. 

The Modify Signature File functions: jhe Web-based and client-side implementations of the 

6.1 Enable Signature File application are inherently different. One runs on the Web, 

6 2 Disable Signature File other 00 the user's local machine. Hie differences 

6^3 Create Signature FUe ^l^'^"?" ^'f^" "J °P^[^'*°" P"TJ'^ ^^"^ 
, . ..^ ^ . • ^- ^-1 55 that the Web-based appucation has a different operating 

6.4 Modify Existing Signature File environment than the downloaded application. The 

Signature files are text fil^ thai are appended to the end of ^^^i^^atd, clieni-side application simply downloads to the 

every message a user sends. These files are useful to users ^^^.^ ^^^^j^^ ^^^^ user wants to 

who wish to send a quote, place contact information or ^j^^^^, ^.^^j, j^^^ ^^^^^ 

mclude other mforaiation on every outgoing message. Sig- ^ ^^^^ ^^^^^ ^^^^ ^ ^^^^ j.^^ „^ ^^^^ ^j^^^ ^^j, 

nature files do not need lo be used, thus the apphcation ^^ ^^^^ ^^j^ implementation can contain and process 

provides the ability to choose between using or not usmg a ^^^^^^ information completely on the local machine, 

signature We „ , , . On the other hand, the Web-based application cannot behave 

Hie Modify Address Book functions: ^j^^ ^^^^ bandwidth constraints and for other 

7.1 Add New Folder 65 reasons. 

7.2 Compose to Highlighted Address/Folder jhis implementation of the application (known as "client- 

7.3 Add Address(es) side") is run within a single frame (see FIG. 5). That is, when 
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the user launches the application, a single window appears, application is currently viewing a message, then the appU- 

and nearly all operations performed by the application take cation simply shuts down. If the application is in a running 

place within this window. The window contains a title bar, state, that is if it is currently performing some operation such 

menu bar, selection buttons, three radio buttons, three as encryption of an outgoing message, the ability to exit is 

checkboxes, three subwindows, and an Interactive Help 5 not available. This prevents the user from exiting during the 

Panel. The organization of the title and menu bars is familiar execution of a critical process. 

to users, in that the elements are located at the top of the The "get messages" option initiates the process of check- 
window and span the width of the window. ing for and receiving any new messages that are on the mail 
The selection buttons are "Create," "Send,** and "Retrieve servcr(s). If the application is currently performing another 
Messages" (FIG. 5). The Create button permits the user to 30 process, this option is not available to the user, 
compose an outgoing message. The Send button permits the The "create" option initiates the applications composer, 
user to send a message that has just been composed, and the The composer is fiilly described below. This option is 
Retrieve Messages button instructs the application to check unavailable when the application is performing another 
for new messages on the mail server(s). The three sub- operation. 

windows consist of a folder window, a larger, primary is The Compress | Decompress Folder option from the File 

window, and a medium-sized, viewer window. The folder menu places a dialog box in window three of the application, 

window is small and displays the various message folders as in FIG. 6. The dialog shows the status of the user's 

that the user has available. The larger window is a dynamic Message Book in a hierarchical fashion. The user can select 

window that may contain the composition of a message, a (highlight) a folder and then compress that folder. When the 

dialog with the user, or other functions. The medium-sized 20 message is compressed, it is saved in an alphanumeric 

window is for displaying message headers, account infor- fashion. As an example, if the Sent List were to be selected, 

mation (if in the e-mail account book), and address infor- the saved (compressed) file would be "sentl.cmp". The 

mation from the address book (if in the address book). folder would then be replaced with a new one. The new 

The three checkboxes provide the application with knowl- folder assumes the same name as the folder that was 

edge of the user's cryptography/compression preferences for 25 compressed. The dialog appears as shown in the image .of 

the current composition. The three radio buttons are used to FIG. 6. The user can delete as many folders as is desired or 

toggle among the address book, the account book, and the none at all. 

message book. From this dialog, the user may also decompress previ- 

Hie Interactive Help Panel at the lower right of the image ously compressed folders. A list of previously compressed 

is used to help guide the user through the use of the 30 folders is shown in the text box labeled "Archive List" in the 

application. The goal of the Interactive Help Panel is to give lower left-hand comer of the screen. To decompress a folder, 

the user information pertaining to the current state of the the user first highlights the archived folder from the Archive 

application without being "in the way" with extra windows List text box and then selects the "Decompress" button, 

and/or imnecessary dialog boxes. The Interactive Help Panel When a file containing a folder is decompressed, the entire 

is described in detail below. 35 folder is placed within the current folder that replaced it 

The user interface is graphical and is organized as shown when it was compressed. If that folder has been deleted or 

in FIG. 5 and later figures. This interface was created using is otherwise not in existence, the application places the 

Visual Basic, although other languages can be used. The decompressed folder as a subfolder of the inbox. 

sub-windows are referred to, beginning with the top-most As an example, when the Draft List is archived and 

window and moving clockwise, as one, two, and three. TTius, 40 labeled as the file "draftl.crap", where the "cmp" extension 

the third window is the largest window (where "i'^lication represents a compression file, the application creates a new 

Logo placed here" is shown), the second window is the one Draft List to replace the old one. When draftl.cmp is 

just above the Interactive Help Panel, and the first window decompressed, a new folder is created in the Draft List 

has a vertical scroll bar. named "Draft List 1", and the messages/folder listings that 

The menu bar contains four menus: File, Address Book, 4S were contained in the compressed file is placed in this new 

Account Book, and Help. Each menu is explored below in folder. This option is not available if the application is 

some detail. currently running a process. To quit this operation, the user 

The Interactive Help Panel ("I HP') is displayed in the selects the "Done" button, which returns the application to 

lower right hand corner of the application window. The the previous state of operation. 

purpose of the IHP is to give the user useful tips, hints, and so The Preferences selection places a new display in the third 

suggestions when using the application. This panel is also window of the apphcation (see FIG. 7). The preferences 

used for user prompting, especially when the user is about dialog allows the user to set certain defaults and to reinstate 

to perform a "destructive" act, such as modifying a message the Interactive Help Panel (if any of the options were 

filter, or deleting an address sheet. Each display of the IHP previously disabled). Default preferences are set upon instal- 

also includes a toggle switch that, when selected, will ss lation of the application. If the user has obtained a digital 

disable that particular suggestion. Entering the preferences certificate, then the "encrypt" and "sign" options are set in 

option from the file menu on the menu bar resets the IHP addition to the other pre-set options. These pre-set options 

The File menu (FIG. 5, top line) contains nine sub-menus: are outgoing compression and the Interactive Help Panel, 
exit, get messages, create, preferences, compress/ The user can select the options that he/she prefers. If a 
decompress folder, display, filters, certificate book, and 60 user doesn't wish to use the Interactive Help Panel, that 
print. This menu option provides some miscellaneous func- option can be disabled by checking the checkbox "Interac- 
tions of the applications that don't fit in the other menu live Help Panel Settings" heading. In order to restore the 
options. Interactive Help Panel to the default functionality, the user 

If exit is chosen from the File menu, the application would click the "Reset Interactive Help Panel" button. The 

determines what state it is currently in. If the application is 65 user also has the availability to enable/disable encryption, 

in the compose slate, the user is prompted to save the cunent digital signatures, attachment compression, signature file 

draft to the Draft List from the Interactive Help Panel. If the appending, and outgoing message options. When the user is 
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finished selecting and/or deselecting the available options, through the process of adding, modifying, and/or deleting an 

he/she may exit the preferences display by selecting the address to the address list, which is displayed to the right in 

"Exit Preferences" button. When this button is pressed, the the second window of the application (FIG. 10). As the 

application moves to the prior stale of the application. That image indicates, the user is able to both add and modify 

is, if the user was in a different state, such as composition, 5 address sheets for correspondents directly from this dialog 

that state would return to the display, assuming the exact box as well as add and/or delete address folders. If the user 

information that was there when the user entered the pref- wishes to add an address to the Address Book, he/she enters 

erences state. It is important to note that the selection of the relevant information in the text boxes labeled, Name, 

certain options from the preferences display does not affect E-mail, Phone, Fax, Address Fields, and Notes. Then the 

the previous state of the application. Thus, if the user was lO user selects the address folder in which to place the new 

composing a message before entering the preferences state, address from the pull down list located in the lower center 

and then changed the encryption settings, these changes area of the GUI. To complete adding the new address, the 

would be noticed, not on the current composition, but on the user simply clicks the "Add to:" button, 

next composition. If the user would want to modify an existing address, 

The View Certificates component allows the user to view is he/she first highlights the address name shown in the second 
and control the various certificates that are stored in the window of the application (far right). When he/she high- 
certificate book (FIG. 8). The user can view certificate lights the address listing, the user then sees the full infor- 
information, revoke certificates, and determine those certifi- mation for that address appear in the text boxes of the dialog 
cate authorities that they trust. box. The user can then make the appropriate changes to the 

The dialog, as displayed in the third window of the 20 information, and then click the "Add to:'* button to replace 
application, contains a text box, iiistructions, and seven the old address with the new one. A prompt is placed in the 
buttons. The four buttons lined along the top of the text box Interactive Help Panel before the old address is actually 
display certificate listings for various entities: Certificate replaced, to coiifirm the user's desire to perform that action. 
Authorities (CAs), other people, the user's certificate, and When the user is finished modifying the address book, 
the Certificate Revocation List (CRL). When one of these 25 he/she can exit the dialog by selecting "Done". When this 
buttons is selected, the text box of the dialog displays the button is selected, the application moves back to its previous 
appropriate certificates to the user as a list. To view a state. Thus, if the user was composing a message, then the 
certificate, the user highlights that certificate within the text composer is displayed with the previous information con- 
box and then clicks the "\^ew" button. Then the certificate tained in that display maintained. 

information replaces the certificate list. The user also is able 30 The pull down list that displays the current folders has an 

to revoke certificates by first highlighting the certificate from option that allows the user to type a new folder directly into 

a list presented in the text box, then clicking the "Revoke" that box. Then, when the user presses the "Add to:" button, 

button. When the user is finished with the certificate book, this folder is created, and then the new address is placed into 

he/she clicks "Done" to return to the previous state. That is, that folder. This method of adding a folder to the address 

if the user was composing a message when they entered the 35 book can also be used to create a folder containing no new 

certificate book, then that composition reappears when the address. When the user wants to add only an address folder, 

user exits the certificate book. then he/she leaves all of the text boxes blank, types the name 

The Display option gives the user the ability to change the . of the new folder in the pull-down menu, and then clicks the 

appearance of the application in general. Options include "Add To:" button. 

any images that are available on the application, as well as 40 Furthermore, if the user wants to delete an address from 

windowing properties (i.e. frame color, etc.). the Address Book, he/she first highlights the address in the 

Selection of the "Filters" option from the file menu second window of the application, and then clicks on the 

displays a filter dialog in the third window of the application "Delete Selection" button below the "Notes:" text box. The 

(FIG. 9). This dialog allows the user to create, modify, application then prompts the user via the Interactive Help 

and/or delete existing e-mail filters. 45 Panel to ensure that the user would like to carry out this 

The user adds a message filter by entering a filter name, action, 

the constraint field of the filter, what the field should contain The Account Book selection (in the lop line of the tool 

in order to be filtered, and a folder in which to place the bar) also contains just one submenu: modify. The e-mail 

messages meeting the requirements of the filter. The con- account book is displayed in terms of Account Sheets and 

strainl fields are those fields found in the header of an e-mail 50 Account Lists in the second window of the application, 

message, such as "to", "from", and "cc". The user can select When the Modify option is selected, the application 

any number of containments for the field, the most common displays the dialog box of FIG. 11. If the application is 

being either part or all of an e-mail address. The pull down currently running a critical process, then this option is not 

menu lists the current folders in the Message Book, and available to the user until that process is complete. This 

contains a selection that allows the user to create a new 55 dialog box guides the user through the process of adding/ 

folder from within this display. This display cannot be deleting/modifying an existing e-mail account, and/or 

entered if the application is currently running a critical adding/deleting a folder to the account book, 

function. When the user wants to add a new e-mail account to his 

The address book menu (in the top line of the tool bar) or her account book, then the user first enters the appropriate 

contains one sub-menu: modify. The address book is dis- 60 information in the supplied text boxes labeled: User name, 

played (FIG. 10) in terms of Address Sheets and Address Password, and Server. The user name field holds the user's 

Lists in the second window of the application, and the dialog name on that account, the password field holds the password 

for manipulating the address book is shown in the third the user must supply to access the account, and the server 

window of the application. field holds the name of the server on which the account 

The Modify option is not available to the user if the 65 resides. The password field is "blind," that is, rather than 

application is currently running a process. Selecting the printing what the user types, the only characters thai show 

Modify option brings up a dialog box that guides the user up are asterisks (*). When the user wants to modify an 
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account (as when the user has modified the password), then used by the application) in order to allow the user to select 

the user is required to highlight the account in the account a file that he/she wishes to attach. The file can be of any type 

list displayed at left. When this is done, the account infor- and size, if the user has the proper permissions to access and 

malion is placed into the appropriate text boxes. When the download the file. The dialog box that this option displays is 

user wants to delete an account or folder, the user first 5 a familiar W^mdows file dialog box. It supplies a directory 

highlights the account, then clicks on the delete button. tree a name field, a pull down menu of available diskdnves 

When the user would like to create a new folder, he/she ^Ic. Wien a file is attached, it^ Placed ^^^^ 

uses the pull down menu to type a new folder name. The user J^'^ ° w^'^"^"' h ™w^^^^^ 

J ». 1 • -^f/™. v« ™*^- o f^i^^r for proper handlmg. When the user has completed selection 

uT^ T ^"f.,' r^u .n ot the dLired attachment, the file dialog exits and the user 

although this option is available m the event the user would lo ^^^^^^ composition. This option is not 

like to place a new account m a new folder. In this, and every operational if the appHcation is currenUy running a critical 

case listed above, the user is prompted by the Interactive process. 

Help Panel at the lower right of the application lo confirm jf selects the "Save as Draft" button, then the 

the addition/deletion operation. application acts as though it is sending the message, but 

When the user is finished manipulating the Account Book, 15 rather than sending the message over the Internet to the 

then the user must select the "Done" button to exit the desired address, the message is placed in the Draft folder of 

display and return to the previous state of operation. Thus. the Message Book. Thus, the message and any attachment(s) 

if the user was composing a message, the composer is are properly formatted for sending, including any 

displayed having maintained all of the information the user encryption, signature, and/or compression requirements, 

may have entered into that display. 20 When the application is finished with this operation, the start 

The Help menu (top line of the tool bar) contains an state of the application is displayed, 

online help reference, a brief tutorial, and an "about" section A user, by selecting the Signature File button, fiom the top 

that lists that application's version, completion date, etc. If line of the Composer frame tool bar, can create and/or 

the application is currently executing a critical process, then manipulate a signature file as well as enable or disable the 

these options are not available until the process is complete. 25 option to append a signature file to outgoing messages (see 

The Tutorial option brings up a dialog box as in the FIG. 14). This option requires that a new dialog box be 

preceding examples, but provides one large text box with a shown to the user. As such, the old dialog box (FIG. 13) is 

chapter listing, back and forward buttons, and an exit button. hidden rather than closed, so that the user does not lose any 

The layout of the dialog is similar to the one displayed in information already placed in the composition of the mes- 

FIG. 12, and the text of the tutorial is shown in the large text 30 sage. This option is not available when the application is 

box. The user is able to view the different chapters of the currently mnning a critical process. This display is a simple 

tutorial, or view an index (this option is included in the one that provides the user with some instruction. If a 

chapter pull down menu). When in each chapter, the user is signature file has been created, then the apphcation displays 

able to utilize the back and forward buttons to move either that file in the text box (contained in the third window of the 

forward or back a page. If the user selects the exit button, 35 application). If the user has not yet created a signature file, 

then the application closes the tutorial and automatically then the user can create one by entering the desired signature 

returns to the start state. in the text box, then clicking on Create Signature. This 

When the Online Help option is selected, an online index action makes the file available to the application by saving 

appears in the third window of the application. At the user's the file to disk. 

disposal is an index of common words/features/lists/terms or 40 If the user has already created a signature file, but wishes 

other useful "guiding" words that the user may want to to modify that signature file, then the user first makes 

search for. When the user highlights one of these options in modifications, then selects the Modify Signature button to 

the index, the help listings fi-om the tutorial are displayed save those changes. When the user would want to enable or 

below so the user can select one of the options. disable the signature file, then he/she marks the checkbox. If 

The About selection displays information regarding the 45 the box is marked, the file is enabled. If the user would like 

current version of the application. The information is dis- to exit with or without making changes to the signature file 

played in the Interactive Help Panel so that no other option and its operation, then the user simply clicks on the Return 

or operation is disrupted. Included in the About display is the button to go back to the Create display, 

versionnumberof the application, the date of its release, and The Cancel option provides the user a way to exit a 

contact information (including Web information). This 50 composition. When this option is selected, the display 

option is not available when the application is running a returns to the application's start state, and all information 

critical process. regarding the current composition is lost. This option is not 

The Create button (second line of the tool bar) brings up available to the user if the application is currently running a 

the composition screen (FIG. 13). This screen is placed into critical process. 

thelhird window of the application. The preferences are read 55 When the user selects the "Retrieve Messages" button 

such that the application understands the user's desire to from the second line of the tool bar (FIGS. 5-14, second hue 

encrypt, sign, and/or compress the outgoing message or its of tool bar), the application gets messages from the user's 

attachment, if any. This button does not operate if the various e-mail accounts. The first account to be checked is 

application is currently running a critical process. This the account found on the EMC server. If the user has other 

screen is where the user composes outgoing messages. 60 accounts listed in his or her e-mail account book, these will 

When the user is satisfied with the composition and is be checked in the order in which the user entered them. Note 

finished editing the composition, the user presses the "Send" that only default accounts will be checked automatically, 

button (described below) to complete the action. Five addi- Any other accounts must be checked for messages manually, 

tional buttons are shown: Attach File, Save as Draft, Sig- For each account that is checked, the message filter will be 

nature File, Spell Check, and Cancel. 65 invoked. The state of the application remains the same 

The Attach File button, when clicked (on the tool bar in except for the second window, which changes lo display the 

the frame), brings up a dialog box (the only separate window message book. 
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The Encrypt | Sign | Compress check-box options (FIGS. running in the browser provides a way for the user to access 

5-14, second line of tool bar) allow the user to select, for and download messages to his or her local machine, as well 

each composition, the appropriate action for the application as upload attachments for sending. The user also has the 

to take when sending a composed message. When the capability to download messages to the local machine and 

application is run, the preferences of the user are read and 5 store them in a provided message book, 

these options would be run accordingly. The availability of In use and operation, a premium-service subscriber to the 

the options at the time of composition provides the user with EMC service. User A in FIG. 1, has a choice of accessing his 

the ability to change his or her mind for each message. If an e-mail through either his personal computer A or through 

option is marked, then it is enabled. Thus, if the Encrypt another computer X, as shown. Computer A has the EMC 

option is checked, the next outgoing message is encrypted. lO program loaded onto it, and computer X does not. User A 

If the user changes any of these options for a given message, can use computer A to compose a message, to add any 

then the application changes the options to such preferences attachmen ts, to set the e ncryption nf the me5^<^ge and the 

after the current composition is sent, saved as a draft, or encryption and compression or not of anv attachments, e tc., 

canceled. and to ji^n if]^ p iessagc digitall y or not, all while off-linejb 

The Address Book | Account Book | Message Book radio 15 send the message and anv others , and to check and receive 

buttons (FIGS. 5-14, second line of tool bar) allow the user any messages sent to him by others, he/she yonnects over a 

to toggle between the Account, Address, and Message te lephone or cable line, or any other bard-wired or wireles s 

Books. Only one option can be displayed at any one time. connection, to his ISP's Server 1. That server is licensed by 

These are shown in the second window of the application in the present inventors and also has the EMC system installed, 

a hierarchical fashion. If the user would want to return to the 20 Server I confirms the identity and digital signature of the 

Message Book, he/she highlights a folder in the first window subscriber and accepts the message uploaded from Com- 

of the application. These options arc not available if the puter A along with any attachments. User A can use com- 

application is currently running a critical process. puter A from home or the oflBce or on any other Internet 

The user can bring up the Address Book or Account Book connection, as when he/she is travelling with a laptop or 

dialog when he/she double clicks on a particular address or 25 notebook computer A. 

accoimt or folder. If the user would like to send an e-mail If User A is away from home or of&ce and cannot use his 

message directly from the address book, the user first ComputerA, he/she still can send and receive e-mail with all 

highlights that address (or address folder for a "bulk" the information and options of his home Computer A. 

mailing), then selects the "Create" button contained in the He/she need only log onto Server I from any computer with 

main window of the application. If the application is cur- 30 suitable hardware and software, as Computers X or Z as 

rently in another state, such as the composition state, then shown. Computer X connects to his own Server I, while 

that display is simply hidden from view rather than Computer Z connects to a Server III, as shown, which does 

destroyed. Similarly, the user is able to view any message not have EMC loaded or licensed, but does practice the 

from the Message Book by double clicking on that nacssage S/MIME protocol. In either case User A logs into Server I 

in the message book. Tliis displays the Message Book 35 using his user and/or identification name(s) and password; if 

Display as previously described. he/she is on Server III he/she merely needs to access Server 

The Web-based application cannot be contained in a I through the Internet. He/she is able to compose mail 

single unit, per se, as the client-side application is. Rather, on-line, and receive mail, with all the same encryption, 

the application spans from the client to the server. Known authentication, etc. features, settings, and organization as 

Web-based e-mail providers have not had, or even attempted 40 he/she had on his own Computer A. 

to implement, security measures such as the X.509 certifi- A message sent by User A to another EMC subscriber, as 

cate standard. In the case of the Web-based application of the User B, is routed from the Computer A or Computer X 

present invention, the application runs as a distributed through Server 1 and over the Internet (and possibly over or 

system. That is, the application controls are sent to the user through other servers there) to a Server II of User B. It is 

to be viewed on the user's browser, and through these 45 stored there, in the EMC Web system application, with any 

controls the user operates the application that resides on the attachments and in any encrypted form used by User A, until 

server. User B logs on to retrieve that message. If User B uses 

Tlie functioning of the Web-based application takes place his/her regular Computer B with EMC loaded, he/she may 

primarily on the server side of the application, and the download the message, have it automatically decrypted, and 

controls are passed through a secure channel using the 50 any attachments decompressed, if necessary, for reading 

Secure Sockets Layer protocol ("SSL"), or some other oflf-linc. If User Buses a different computer, as Computer Y, 

security protocol offering a secure "pipe" to and from the through Server 11, he/she must remain on-line to read the 

application level. Thus, all certificate information and initial message, although it will be decrypted and any attachments 

message information is secured on the user's account as it decompressed for her by Server 11 as part of the EMC 

exists on the mail server This approach provides a fully 55 program and service. 

accessible, secure e-maii application that the user can utilize A message sent by User A to a non-EMC subscriber, as 

from any web-enabled computer anywhere in the world. User C, is routed from Computer A or Computer X through 

within legal boundaries. Server I and over the Internet (and possibly over or through 

Some components of the application must be ported to the other servers there) to a Server III of User C. It is stored 

user's machine at each mail session, such as the compression 60 there, in the Web-based e-mail application of User C (as 

tools. The porting of this component minimizes the band- Hotmail®), with any attachments and in any encrypted form 

width usage of the user from the local machine. Depending used by User A, until User C logs on to retrieve that 

upon size, some other components may be downloaded to message. Whether User C uses his regular Computer C or 

the browser on a per-session basis. Often, users of Web- another Computer Z, neither one having EMC loaded, 

based e-mail wish to place attachments on their outgoing 65 he/she may download the message and have it automatically 

mail and/or download messages that they have received for decrypted under the S/MIME protocol. However, for any 

printing or some other purpose. The Web-based application attachments that are compressed, User C must go to a 
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different program to decompress and read them. If User C 
has a clieot-side e-mail system (as Eudora®), be/she would 
download the message and attachments and can then read 
and otherwise manipulate them off-line. 

If User A wants to send a message to a user not on a secure 5 
server or computer, i.e., not using S/MIME or similar 
protocol, he/she may do so, but the message and attachments 
will not be encrypted (User A will be warned of this by the 
EMC system). Interoperability is an important feature of this 
invention, so that subscribers can communicate electroni* 
cally to all other persons, not just to those on a particular 
system. 

To receive e-mail messages from others. User A opens his 
client-side program on Computer A, or logs into Server I 
from any other Computer X or Z connected to any Server. 
He/she downloads the messages to his Computer A, or reads 
them on-line on the other Computer X or Z. The messages 
are decrypted automatically, attachments are decompressed 
automatically if necessary, and other features of the EMC 
program are implemented for him, since he/she is tied into 
Server I, which runs the web-side EMC system. 

Many variations may be made in the invention as shown 20 
and its manner of use without departing from the principles 
of the invention as pictured and described herein and 
claimed as our invention. "Personal computer" as used 
herein refers to computers of all manufacturers and operat- 
ing systems, whether PC, Apple, Unix, Java, Wintel, etc. ^5 
Minor variations will not avoid the use of the invention. 

We claim as our invention: 

1. A method of providing a secure electronic messaging 
service to each of a plurality of subscribers, using a server 
and a personal computer both connected to a global com- 
puter network, the method comprising the steps: 

programming each of a server application and a personal 
computer application with a secure e-mail messaging 
service configiued to interact with and to shadow the 
other application via said network as to personal 
information, settings, and files of an individual one of 
said subscribers; 

storing said information, settings, and files both on said 
server and on said personal computer running said 
application, for access off-line solely through the per- 
sonal computer of said subscriber and for access 40 
on-line by said subscriber through any computer having 
capability to communicate with said server; 

allowing access to said messaging service via said server 
for a subscriber's sending and receiving electronic 
messages; and 45 

providing a digital certificate security service from each 
of the server and the computer together with the 
messaging service. 

2. The method of claim 1. wherein the step of accessing 
the server of the messaging service from a personal com- 50 
puter using the Web-based form of service further comprises 
the step of using an S/MIME compliant application to 
connect between the computer and said server. 

3. The method of claim 1, wherein the step of providing 
a digital signature security service includes verifying the 
identity of the sender, the integrity of the message, and the 
fact of the sending by the sender. 

4. The method of claim 1, further including the step of 
decompressing automatically a compressed attachment to a 
message upon its reaching and being opened by a subscriber. 

5. A method of providing secure e-mail service to a 
subscriber, the service being accessible equally from an 
e-mail program on a computer of the subscriber and via the 
Internet (a global computer network) from other computers 
which may be used by the subscriber, the method comprising 
the steps: 65 

loading the e-mail program onto the subscriber's 
computer, the program being one for composing and 
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displaying e-mail messages thereon while the computer 
is off-line, using personal information, settings, and 
files of the subscriber and for providing at least one of 
address, e-mail account, and message book features; 

providing an e-mail service on an Internet server acces- 
sible by said subscriber, the service and the program on 
the subscriber's computer each shadowing the content 
of the other for said personal information, settings, and 
files of the subscriber and for each of the address, 
account, and message books of the subscriber; 

allowing access to the e-mail service on said subscriber's 
computer and from any other computer via a modem or 
the Internet; 

synchronizing and updating the personal information, 
settings, and files of the subscriber and the features and 
content in the subscriber's program and in the e-mail 
service on the Internet server upon each access of the 
subscriber's computer to the Internet server and e-mail 
service after a change in either, and 
providing from each of the e-mail server and the user's 
computer, with one or more messages a digital signa- 
ture security service for verifying the identity of the 
sender, the integrity of the messages sent, and the fact 
of the sending by the sender, 
whereby to provide nearly identical, secure e-mail services 
to the subscriber whether the subscriber is using his/her own 
computer which is running the application or is logged-in to 
the server firom a different computer through the Internet. 

6. The method of claim 5, wherein the step of accessing 
the e-mail service from a computer other than the subscrib- 
er's computer further comprises the step of using an 
S/MIME compliant application to connect between the other 
computer and the server. 

7. The method of claim 5, further comprising the step of 
decompressing any compressed attachment automaticaUy 
when it reaches and is opened by a subscriber. 

8. A secure, encrypted, digitally-certified e-mail service 
application for a personal computer that is also accessible 
for similar use over a global computer network, the service 
appUcation comprising: 

a full-featured e-mail program for loading onto a sub- 
scriber's personal computer, the program configured to 
receive personal information, settings, and files of the 
subscrilir and having at least one of address book, 
e-mail account book, and message book files provided 
therein; 

a network-based e-mail service system configured to 
shadow the subscriber's e-mail program as to content 
and having the same ones of address book, account 
book, and message book files as said program on said 
personal computer, the system synchronizing and 
updating itself and the program on the personal com- 
puter as and after either is changed and upon connect- 
ing the subscriber's personal computer to the e-mail 
service system via a modem or the network, and 

means for providing a digital signature security service 
directly from either of the subscriber's computer or the 
network server, the signature service verifying the 
identity of the sender, the integrity of the message, and 
the fact of the sending by the subscriber. 

9. The e-mail service application of claim 8, wherein the 
server of the e-mail service is configured for access to any 
computer used by the subscriber using an S/MIME compli- 
ant application. 

10. The e-mail service application of claim 8, wherein the 
service further is configured to decompress any compressed 
attachment automatically when it reaches and is opened by 
the subscriber. 
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METHOD AND APPARATUS FOR 
MANAGING PACKETS USING A REAL-TIME 
FEEDBACK SIGNAL 

BACKGROUND OF THE INVENTION 

A typical data communications network includes a num- 
ber of host computers linked by one or more data commu- 
nications devices coupled via any type of transmission 
media. Data is transmitted between one or more hosts on the 
network in the form of network packets or cells which 
typically have a predefined, standardized format. 

In some networks, network packets are classified into 
different Quality of Service (QoS) classes which dictate how 
competing traffic flows are allocated resources which effects 
how quickly such packets travel from their sources to their 
destinations. 

In such a network, data communications devices (e.g., 
routers and repeaters) typically receive and retransmit net- 
work packets based on the QoS classes of the packets. For 
example, in a network having video packets as a first QoS 
class and email packets (electronic mail) as a second QoS 
class, a network router may internally manage packets such 
that received video packets are retransmitted with less delay 
than email packets. As a result, network packet destinations 
(e.g., receiving hosts) generally perceive different responses, 
or Qualities of Service, for different QoS classes (e.g., faster 
video transmissions than email transmissions). 

In a network which uses QoS classifications, data com- 
munications devices generally manage network packets 
internally according to packet management algorithms. 
Typically, in such a device, the algorithms provide control 
signals as a function of local network traffic data which has 
been accumulated and post-processed over an extended 
period of time. For example, a network router may operate 
in a particular manner based on local network traffic data, 
which has been accumulated and post-processed over sev- 
eral days, to enable the router to achieve QoS goals of 
transmitting received video packets with a maximum time 
delay of 100 ns and t ransmitting received email packets with 
a maximum time delay of 100 ms. 

Topically, a person known as a network administrator is 
responsible for ensuring that a data communications device 
(e.g., the router) achieves its QoS goals . When the data 
communications device does not jjrovidc adequate Qq S, the 
administrator analyzes tb^^ f^pftr^f ion of the devic e relative to 
the local network traffic and attempts to improve the per- 
formance of the device to enable it to achieve its QoS goals. 
Furthermore, even if the device adequately achieves its QoS 
goals, the administrator may still attempt, on occasion, to 
further improve Ihe performance of the device to enable it to 
more easily manage network packets and achieve its QoS 
goals. 

When the administrator attempts to improve a data com- 
munication device's ability to manage network packets, the 
administrator typically studies the network traffic passing 
through the particular point where the device is connected to 
the network. For example, the administrator may connect a 
network packet monitor at the input of the data communi- 
cations device to classify packet sizes, to count the number 
of packets in total or the number of packets of a particular 
QoS class received by the data communications device. 
Often, the administrator allows the monitor to accumulate 
this information over an extended period of time such as 
several hours or perhaps several days. For example, the 
monitor stores the size and count information in a computer 
file on a computer for future analysis. 
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After the count information has been collected, the 
administrator generates particular network metrics from the 
count information. For example, the administrator may have 
logged the amount of time that elapsed while collecting the 
count information. Accordingly, the administrator can deter- 
mine the overall packet rate provided by the data commu- 
nications device by dividing the counted overall number of 
packets by the elapsed time. That is. 



oveiall number of packets counted 

overall packet rate = — 

elapsed time 



Similarly, the rate for a particular packet type can be 
determined by dividing the counted number of packets for a 
particular QoS class by the elapsed time. That is, 

cumber of packets counted 

for a particular QoS class 

packet rale for a particular = — 

20 packet type elapsed time 

In this manner, the administrator determines the character- 
istics of the network traffic handled by the data communi- 
2j cations device during the elapsed time period. This infor- 
mation along with packet size information can help improve 
understanding of the resource requirements of different 
U-affic flows. 

After the adminisU-ator has determined the network traffic 
characteristics of the elapsed time period, the administrator 

30 examines the settings of the data communications device. In 
particular, the administrator verifies that the operating 
parameters of the data communications device are set such 
that the device will manage packets correctly and efficiently 
in the future, if the device encounters network traffic having 

35 the same characteristics. For example, if the device is 
already set to handle such traffic correctly and efficiently, the 
administrator leaves the parameters unchanged or may 
change the parameters slightly with the hope of improving 
performance. However, if the device is not set to handle such 

^ traffic correctly and efficiently, the administrator modifies 
the parameters such that the device will handle the traffic 
correctly and efficiently in the future. The size of the output 
queues of the data communications device and the priority 
of different packet types are examples of parameters that the 
administrator may examine and perhaps adjust. 

After the administrator has determined that the data 
communications device is properly set to manage packets 
correctly and efficiently and if the data communications 
device encounters new network traffic having different char- 
acteristics as previously encountered during the elapsed time 

50 period, the administrator may choose to sulssequently repeat 
the above described procedure at some time in the future. 
For example, the administrator may (i) monitor the network 
traffic several days later to accumulate new size and count 
information, (ii) generate new network metrics using the 

55 new information, and (iii) then examine the settings of the 
data communications device relative to the newly generated 
network metrics. 

Using the at)Ove-described technique, the data communi- 
cations device is tuned to manage network packets correctly 
and efficiently with the assistance of human intervention by 
the network administrator. With an aggressive approach 
towards fine tuning the data communications device, the 
administrator may repeat the adjustment process a dozen or 
so times over the course of a several days. 

65 SUMMARY OF THE INVENTION 

In contrast to conventional network packet management 
techniques, the invention is directed to techniques for man- 
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aging network packets in a data communications device the initial set of packets. The trafiSc monitor recognizes, for 

using a real-time feedback signal. In one technique, a traffic each sampled packet, a bit pattern of that packet, and updates 

monitor observes network packet traffic transmitted from an a set of data structures based on the recognized bit pattern of 

output of the data communications device, and generates the that packet, the daU structures respectively corresponding to 

real-lmie feedback signal based on the observed traffic. The 5 the multiple packet classes. Furthermore, the traffic monitor 

data comniunicalions device manages newly received pack- ^^es the real-time feedback signal based on the updated 

fn '^'^'^'"f.'" he real-time feedback signal i.e., according ^^^^^ ,t^^t^,^ ^^at the reaLtime feedbackV^gnal 

IIm 1 instantaneously observed traffic, thus is indicative of the transmission levels of the multiple padeet 

enabhng the data communications device to perform real- «i ^ f #u • i / \ * r 1 F«^^i 

I . * J J- . . J • ,. . classes for the mitial (or previous) set of packets, 

time packet management and adjust to dynamically chang- v f / * pavi^wu*. 

ing conditions within the network at a rapid pace. '° arrangement, the real-time feedback signal 

One embodiment involves the use of a data communica- P«=ff rably indicates a bit count for each of the multiple 

tions device having a memory. The data communications P'^*'*'^ ^'^^ ^""^^^ ^ such, the data 

device transmits an initial set of packets which are moni- ^^~^<^^^^ons device preferably includes traffic analysis 

tored by a traffic monitor The traffic monitor then provides ^'J^^ ^^t^ ^'^"^^^f l*?^' each of the mulUple packet 

the real-time feedback signal indicating transmission infor- ^'"^^ ^° each of the multiple packet 

mation regarding the initial or previous set of packets. The ^^''}''\'^ "^^T ^^\}^^^ 

data communications device manipulates (or handles) a new P'f manipulates based on the bit rate for each of the 

set of packets within its memory based on the real-time ^^^"ipie packet classes. 

feedback signal, and transmits the new set of packets from 20 Preferably, the data communications device can request 

the data communications device based on how the new set information from the traffic monitor. In particular, the device 

of packets was manipulated within the memory. requests the information by generating a request signal for 

Preferably, each packet belongs to one of multiple packet information regarding the transmission levels of the multiple 

classes, e.g.. Quality of Service (QoS) classes such as video, ^^^^^^ ^^^^ ^ct of packets or any previous 

audio, general data and best effort classes. Classes may also 25 packets. In response, the traffic monitor generates the 

be defined by packet source, destination, or any other real-tune feedback signal such that it includes the requested 

internal data in the packet, or by other information such as information. 

a physical location (e.g., port) on the device upon which the should be understood that network traffic patterns may 
packet arrived. As such, the real-time feedback signal indi- within a relatively short period of time. As such, some 
cates transmission levels of the multiple packet classes for 30 conventional data communications devices may not be opti- 
the initial set of packets. For example, the real-time feed- ™ally adjusted to manage a network traffic with particular 
back signal may indicate packet counts for each packet class characteristics if the adjustments are infrequent or if the 
in the initial set, and a total count for the number of packets adjustments rely on network data gathered over extended 
in the initial set. periods of time. In contrast, the invention involves optimally 
The memory of the data communications device prefer- 35 adjusting how a data communications device manages pack- 
ably stores a queue structure. As such, the data communi- ^° * real-lime feedback signal. Accordingly, if the 
cations device manipulates the new set of packets by sched- ^^^^ pattern shifts within a relatively short period of lime, 
uling each of the new set of packets in the queue structure ^^^^ communications device, configured according to the 
based on the transmission levels of the multiple packet invention, can adapt its operation to more optimally manage 
classes for the initial set of packets, as indicated by the 40 Packcts in a manner superior to that done in conventional 
real-time feedback signal Alternatively, the device manipu- communications devices. 

lates the new set of packets by reordering queues of the Additionally, the invention provides for an automated 

queue structure when the transmission levels of the multiple adjustment process. That is, once configured in accordance 

packet classes for the initial set of packets, as indicated by with the invention, no human intervention is required to 

the real-lime feedback signal, cause the data communica- 45 enable the data communications device to manage packets 

tions device to detect a reorder condition. As another correctly and efficiently within a network having changing 

alternative, the device manipulates the new set of packets by network traffic characteristics. Rather, the real -time feed- 

discarding a packet of the new set of packeU from the queue ^^ack signal is generated in a contiguous manner enabling the 

structure when the transmission levels of the multiple packet data communications device to adjust its operation dynami- 

classes for the initial set of packets, as indicated by the 50 ^ally and automatically. 

real-time feedback signal, cause the data communications Furthermore, unlike conventional systems which have 

device to detect a discard condition. As yet another large storage requirements to store large amounts of network 

alternative, the data communications device manipulates the data gathered over extended periods of time and large 

new set of packets by performing multiple functions using processors to analyze the network data, the invention has 

the real-time feedback signal. For example, the device 55 relatively small hardware requirements. That is, since the 

schedules packets, reorders queues and discards packets, invention uses a real-time feedback signal that contains fresh 

based on the real-time feedback signal. In this anangement, data, there are less memory requirements and processor 

information within the real-time feedback signal is prefer- demands. 

ably an input to an algorithm used by the device, as the Also, the invention enables different types of network 

device performs many complex calculations. eo information to be gathered on-the-fly. That is, if the inven- 

Preferably, each packet includes a bit pattern indicative of tion cannot determine how to adjust itself in view of 

one of the multiple packet classes. The bit pattern resides in particular network data acquired from the traffic monitor, the 

a predetermined location within each packet, i.e., within a invention can request other types of network data to assist 

type ofservice(TOS) field (e.g.. indicating the QoS assigned the invention in its determination of how to adjust itself, 

to that packet). As such, to monitor transmission of the initial 65 Accordingly, there is less likehhood that conflicting goals 

set of the packets and provide the real-time feedback, the will result in oscillating performance. That is, the invention 

traffic monitor preferably samples (monitors) packets from will tend towards a convergence or compromise between the 
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different goals (e.g., QoS goals). Hence, a first action by the 22. The queue structure includes multiple queues 3ft-A, 

invention based on a particular goal may provide only a 30-B, 30-C, 30-D, . . . (collectively queues 30) which 

modest performance iniprovement, and a subsequent action correspond to different types of service (TXDS) supported by 

based on a different goal may provide a substantially belter tbe network 12 and the data communications device 10. In 

improvement in a non-oscillating manner 5 embodiment, the different types of service are different 

Quality of Service (QoS) classes. By way of example, the 

BRIEF DESCRIPTION OF THE DRAWINGS data communications device assigns queue 30-A to a best 

TTie foregoing and other objects, features and advantages ^° ^^"i^ ^'^^ * Seneral daU QoS class, 

of the invention wiU be apparent &om the following more "'"J^^o^S^ T qucue-30.D to a 

particular description of preferred embodiments of the 10 ^ ^ ^ class. 

invention, as iUustrated in the accompanying drawings in ^ ^® scheduler 16 receives packets 14 from the 

which like reference characters refer to the same parts network 12, the input scheduler 16 schedules the packets 14 

throughout the different views. The drawings are not ncc- "^^^^^ structure 28 of the memory 22. In 

essarily to scale, emphasis instead being placed upon illus- particular, the input scheduler 14 identifies the TOS of each 

trating the principles of the invention. 15 P^^*^®^ 1"*' ^nd then places that packet 14 in the queue 

no. 1 is a block diagram of a data communications ^l^ned to that TOS (e.g., one of the queues ^-A through 

device according to an embodiment of the invention. ^?-^>- ^ ^ ^^^.^^ example when the input scheduler 16 

c . az •* f.u J . identifies a particular packetl4 as a video packet, the input 

no. 2 IS a blodc diagr^ of a traffic monitor of the data scheduler 16 places the video packet in queue 30-D wWch 

communicauons device of FIG. 1. ^^^^^ ^be video QoS class. 

no, 3A is a block diagram of a network packet that is addition to the input scheduler's ability to schedule 

suiUble for use by the data communications device of HG. packets 14, the input scheduler 16 has the capability to 

^* control the size of each queue 30 in an on-the-fly or dynamic 

HG. 3B is a block diagram of an alternative network manner based on a real-time feedback signal 38 provided by 

packet that is suitable for use by the data communications ^5 the traffic monitor 26. The input scheduler 16 analyzes 

device of FIG. 1. network traffic data in the real-time feedback signal 38, and 

FIG. 4 is a flow diagram illustrating the operation of a adjusts sizes of the queues 30 if the input scheduler 16 

management module of the data communications device of determines that such an adjustment would enable the data 

FIG. 1. communications device 10 to improve its performance. For 

FIG. 5 is a flow diagram illustrating the operation of a 30 example, using the real-time feedback signal 38, the input 

traffic analyzer of the data communications device of FIG. 1. scheduler 16 may determine that there is excess bandwidth 

HG. 6 is a flow diagram illustrating, by way of example, avaflable yet general data packets are being discarded by the 

a series of operations of a management module of the data discard manager 20 due to the smaU size of queue 30-B. In 

communications device of RG. 1 in response to different ^ situation, the input scheduler 16 may decide to 

types of traffic information. 35 increase the size of the queue assigned to temporarily store 

HG. 7 is a block diagram of a data communications general data packets (e.g.. queue 30-B). With such an 

J . J- » 1. I. J- . r.i. • adjustment, the data communications device 10 may be able 

device according to an alternative embodiment of the mven- ..... . . r """^ 

^.^^ to handle transmission of all of the general data packets and 

without a need to discard packets. 

DETAILED DESCRIPTION OF PREFERRED 40 The reorder manager 18 controls the prioritization of the 

EMBODIMENTS queues 30 within the queue structure 28, In particular, using 

Overview real-time feedback signal 38, the reorder manager 18 

attempts to order the queues 30 in a manner that enables the 

The invention is directed to techniques for managing data communications device 10 to easily achieve certain 

network packets using a real-lime feedback signal. FIG. 1 45 TOS requirements. In the example, the TOS requirements 

shows a data communications device 10 that connects to a are pre-established QoS goals that enable packet destina- 

network 12, and manages network packets 14 using such a tions to perceive certain responses associated with different 

real-time feedback signal in accordance with the invention. QoS classes of packets. Accordingly, in the example, the 

The data communications device 10 includes network reorder manager 18 of the data communications device 10 

packet management modules (16. 18. 20), output circuitry 50 reorders the queues 30 to enable the data communications 

(22, 24) and monitoring circuitry (26). The management device 10 to achieve predetermined Quahty of Service 

modules include an input scheduler 16. a reorder manager 18 (QoS) goals based on traffic data stored within the real-time 

and a discard manager 20, The output circuitry includes feedback signal 38. 

memory (or output queue) 22 and an output scheduler 24. The discard manager 20 controls deletion or discarding of 

The monitoring circuitry includes a traffic monitor 26. 55 packets from the queues 30. In particular, using the real-time 

When the data communications device 10 is in operation, feedback signal 38, the discard manager 20 determines when 

network packets 14 flow from a portion of the network 12 to the data communications device 10 is unable to achieve its 

the input scheduler 16, through the memory 22, then through TOS goals, and discards packets in such situations in order 

the output scheduler 24, and finally into a different portion to achieve such goals. In the example, the discard manager 

of the network 12. The traffic monitor 26 preferably con- 60 20 may determine from the real-time feedback signal 38 that 

nects to the network 12 at an output of the data coramuni- the data communications device 10 is not providing video 

cations device 10, and observes the network packets 14 packets in accordance with pre-established QoS goals. In 

transmitted from the output scheduler 24 without interfering response, the discard manager 20 may begin discarding best 

with the flow of network packets 14 back into the network effort packets from the queue (e.g., queue 30-A). As a result, 

12. 65 more bandwidth becomes available for the video packets. 

Prior to beginning normal operation, the data communi- and the data communications device 10 is now able to 

cations device 10 forms a queue stmcture 28 in the memory achieve its QoS goals. 
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In one embodimenl, the input scheduler 16, the reorder 
manager 18 and the discard manager 20 use a same instance 
of the real-time feedback signal 38 (e.g., instance 39) when 
in operation. In another embodiment, the input scheduler 16, 
the reorder manager 18 and the discard manager 20 use 
respective instances of the real-time feedback signal 38 to 
operate asynchronously relative to each other. The latter 
allows for improved flexibility and customization. 

The output scheduler 24 transmits packets 14 (e.g., as a 
serial bit stream) from the queue structure 28 back into the 
network 12. Simultaneously, the trafiQc monitor 26 monitors 
the transmitted packets 14 (e.g., by identifying patterns in 
the serial bit stream) and generates a total count of all the 
packets transmitted as well as individual packet counts for 
each TOS. In the example, the traffic monitor 26 generates 
a total packet count and a coimt for each QoS class. In more 
sophisticated implementations, the traffic monitor 26 also 
reports padcet sizes. 

It should be understood that the traffic monitor 26 is 
ideally located at the output of the data communications 
device 10 to measure the output traffic provided by the data 
communications device 10. Accordingly, the traffic monitor 
26 makes direct observations of the data communications 
device's operation and performance, and the traffic data 
within the real-time feedback signal 38 accurately reflects 
the device's operation and performance. Such an arrange- 
ment is superior to conventional arrangements that monitor 
network traffic at the input of a data communications device 
since monitoring the traffic at the input provides no indica- 
tion of how successfully the device handles the traffic. 

For example, suppose packets of a particular QoS class 
begin to accumulate in a data communications device queue. 
If the queue begins to overflow, a conventional data com- 
munications device may handle the situation by discarding 
packets to alleviate the congestion. However, with the 
invention, the traffic monitor 26 observing the output of the 
data communications device 10 may determine that other 
QoS classes are overutilizing the output scheduler 24 thus 
preventing the particular QoS class of packets from being 
transmitted. In this situation, the data communications 
device 10 may then temporarily reprioritize the overflowing 
queue to a higher priority to provide the overflowing packets 
greater bandwidth to transmit in order to alleviate the 
congestion problem. Such repriorilizaiion is a more efficient 
and effective solution which is overlooked by conventional 
devices. Further details of various portions of the data 
communications device 10 will now be provided. 
Traffic Monitor 

As shown in FIG. 2, the traffic monitor 26 includes a 
pattern recognizer 42, a controller 44, multiple individual 
counters 46-1, 46-2, , . . , 46-N (collectively counters 46), 
and an aggregate counter 48. Before the data communica- 
tions device 10 begins normal operation, the traffic monitor 
26 assigns one of the individual counters 46 to each TOS. 
Then, during normal operation, the traffic monitor 26 
observes packets 14 as they are transmitted from the output 
scheduler 24, and updates the counters 46,48 such that they 
indicate the observed network traffic leaving the data com- 
munications device 10. In one embodiment, the packets 14 
are transmitted from the output scheduler 24 as a serial bit 
stream, and the pattern recognizer 42 identifies patterns 
within the serial bit stream to detect packets and to deter- 
mine the TOS of each detected packet. 

In the above QoS example, prior to normal operation, the 
traffic monitor 26 assigns an individual counter 46 to each 
QoS class (e.g., video, audio, general data, and best effort). 
Then, during normal operation, the pattern recognizer 42 
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scans a class indicator field (i.e., the TOS field) of each 
packet 14 to determine, the QoS of that packet 14. The 
controller 44 then updates the appropriate counter 46 (i.e., 
the counter 46 corresponding to that QoS) and the aggregate 
5 counter 48. By way of example, for a video packet 14, the 
controller 44 increments a corresponding one of the counters 
46 and the aggregate counter 48. 

FIG. 3A shows a fonnat 50 for a network packet 14 that 
is suitable for use by the invention. The network packet 
format 50 includes a data portion 52 and a header portion 54. 
The header portion 54 includes a class indicator field 56 
(e.g., bit positions 8-11) that indicates the TOS (e.g., the 
QoS class for that packet). By way of example only, a class 
indicator of xOOll indicates video QoS, a class indicator of 
xOOl indicates audio QoS, a class indicator of xCX)l indicates 
general data QoS, and a class indicator of xOOOO indicates 
best effort QoS. 

FIG. 3B shows an alternative format 58 for a network 
packet 14 that is suitable for use by the invention. The 
network packet format 58 is similar to the network packet 

20 format 50 except that a data portion 60 of the network packet 
format 58, rather than a header portion 62, stores a class 
indicator 64. Accordingly, the class associated with a net- 
work packet may be determined by an analysis of the actual 
data carried by that packet. 

25 As the pattern recognizer 42 monitors network traffic on 
the output of the data communications device 10 and the 
controller 44 updates the counters 46,48, the controller 44 
simultaneously generates the real-time feedback signal 38 
and sends the signal 38 to the network packet management 

3Q modules. In one embodiment, the controller 44 generates 
and sends the real-time feedback signal 38, as a digital 
signal, automatically (e.g., every 1 ms) to enable the net- 
work packet management modules (16, 18, 20) to dynami- 
cally adjust the manner in which they manage packets within 

35 the data communications device 10 (e.g., instance 39 in FIG. 
1). Alternatively, the controller 44 sends the real-time feed- 
back signal 38 to the management modules on a single line 
as a time multiplexed analog signal, or on multiple lines as 
individual analog signals. 

Preferably, the traffic data contained within the real-time 
feedback signal 38 is a copy of the contents of the counters 
46,48. Accordingly, large amounts of storage space and 
processor resources for extensive post-processing are not 
required. Rather, any complexity involved in analyzing the 

45 traffic data (i.e., the counter contents) can be moved to the 
network packet management modules (the input scheduler 
16, the reorder manager 18 and the discard manager 20). 

Referring back to FIG. 1, the traffic analyzer 32-IS 
includes a control module 34-IS and memory 36-1 S, and 

5Q operates such circuitry to analyze basic traffic data stored 
within the real-time feedback signal 38. In one embodiment, 
the real-time feedback signal 38 is a digital signal that 
simply includes the contents of each counter 46 and 48 (see 
FIG. 2). For this embodiment, the traffic analyzer 32-IS 

55 keeps a clock to determine the change in time between 
receiving each set of counter contents. The traffic analyzer 
32-IS determines the total bit rate for the most recent set of 
transmitted packets from the most recent set of counter 
contents, the previous set of counter contents and the delta 

gQ time as follows: 

most recent total bit count - previous lota! bit count 

Overall Bit Rate = . 

time between most recent and previous total bit counts 

65 

Similarly, the bit rate for any particular packet class can be 
determined as follows: 
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„ „ most recent class bii count - previous class bit count 

Bit Rate For = ^ . 

Paitjcular between most recent and previous class bit counts 

Piickei Class 5 

Additionally, the percentage of bandwidth can be calculated 
for each packet class. Below is a calculation for the per- 
centage of video packets: 

10 

number of video data packets counted 

percentage of = , 

video data packets number of total pockets counted 

15 

Since traflBc data analysis is preferably perfonned within the 
trafiSc analyzers 32, the trafiBc monitor 26 can be kept 
simple. Accordingly, less processor and memory resources 
are required for the traffic monitor 26 relative to conven- 
tional trafiBc monitoring devices that store large amounts of 20 
traffic data over extended periods of time (e.g., hours or even 
days) and which then must post-process the large amounts of 
traffic data. 

Nevertheless, more sophisticated monitoring devices are 
also suitable for the traffic monitor 26. For example, in one 
embodiment, the traffic monitor 26 counts bits rather than 
packets 14 in order to provide finer granularity of data. In 
this embodiment, over specified time intervals, each counter 
46 counts bits for a corresponding TOS class of traffic (e.g., 
for a particular QoS class) and the aggregate counter 48 
counts the total number of bits for all TOS classes. The 
transmission speed (i.e., the speed of the media) is used as 
a clock. The number of bits counted for each traffic class is 
then divided by the media speed multiplied by the time 
interval to determine the media utilization and rate infor- 
mation of each TOS class. This embodiment provides finer 
resolution than the earlier described packet counting 
embodiment. 

An example of a device that is capable of operating in this 
manner and that is suitable for the irafBc monitor 26 is the 
Event Driven Interface (EDI) manufactured by International 
Business Machines of Armonk, New York. The EDI per- 
forms pattern recognition based upon a program defined by 
control vectors. In particular, the EDI receives a serial bit 
stream (provided by the output scheduler 24), and performs 
logical pattern recognition to produce signals as an output in 
response to the identification of specific, predefined patterns 
in the serial bit stream. 

Some details of the EDI and similar traffic monitoring 
techniques are described in U.S. Pat No. 5,365,514 
(Hershey, et al.), entitled "Event driven interface for a 
system for monitoring and controlling a data communica- 
tions network," the teachings of which are incorporated by 
reference herein in their entirety. Other similar traffic moni- 
toring techniques are described in U.S. Pat No. 5,375,070 
(Hershey, el al.), entitled "Information collection architec- 
ture and method for a data communications network," the 
teachings of which are incorporated by reference herein in 
their entirety. Additionally, similar traffic monitoring tech- 
niques are described in U.S. Pat No. 5,493,689 (Waclawsky, 
el al), entitled "System for configuring an event driven 
interface including control blocks defining good loop loca- 
tions in a memory which represent detection of a charac- 
teristic pattern," the teachings of which are incorporated by 
reference herein in their entirely. Furthermore, similar traffic 
monitoring techniques are described in U.S. Pal. No. 5,586, 
266 (Hershey, et al.), entitled "System and method for 
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adaptive, active monitoring of a serial data stream having a 
characteristic pattera," the teachings of which are incorpo- 
rated by reference herein in their entirety. Still further, 
similar traffic monitoring techniques are described in U.s! 
Pat No. 5,615,135 (Waclawsky, et al.), entitled "Event 
driven interface having a dynamically reconfigurable 
counter for monitoring a high speed data network according 
to changing traffic events," the teachings of which are 
incorporated by reference herein in their entirety. 

In one embodiment, the invention uses the flexibility and 
sophistication of the EDI and similar traffic monitors to 
enable the real-lime feedback signal 38 to include custom- 
ized data. To take advantage of such features, the traffic 
analyzers 32 of the management modules (e.g., the traffic 
analyzer 32-DM of the discard manager 20) are equiped to 
send a request signal 40 to the traffic analyzer 26 requesting 
customized data. 

Such a feature provides the invention with the ability to 
better determine the proper course of operation to improve 
throughput and the data communication device's ability to 
meet or exceed its QoS goals. Furthermore, the QoS goals 
may occasionally conflict giving rise to the potential for 
oscillating operation, i.e., the data communication device 
operating at one extreme to achieve one goal and then a 
different extreme to achieve a difiOerenI goal, and so forth. 
Such operation is typically undesirable since substantial 
overhead is needed to shift between operating extremes. To 
prevent such operation firom occurring, the management 
modules's abilities to request custom traffic data enable the 
data communications device 10 to achieve convergence of 
goals, namely a compromise that results in stable yet optimal 
non-oscillating operation. 
Management Modules 

Each of the network packet management modules (the 
input scheduler 16, the reorder manager 18 and the discard 
manager 20) has a set of module specific TOS goals (e.g., 
QoS goals), and uses the real-time feedback signal 38 to 
attain those goals. In particular, when the data communica- 
tions device 10 is in normal operation, each management 
module 16, 18, 20 performs a procedure 70 to attain its 
specific TOS goals, as will now be explained in further detail 
with reference to FIG. 4. 

In step 72, the management module initializes a set of 
control parameters according to a control algorithm. The 
control parameters are specific to the particular management 
module and selected to enable the module to attain a sei of 
particular TOS goals. 

In step 74, the management module performs its module 
function based on the control parameters. The module 
function is specific to the particular management module as 
well. 

In step 76, the management module checks whether it 
should continue to operate with real-time adjustments. For 
example, if the data communications device 10 determines 
that it should shutdown, the management module terminates 
or ends the procedure 70. Otherwise, the management 
module proceeds to step 78. 

In step 78, the management module obtains real-time 
feedback results based on the real-time feedback signal 38 
provided by the traffic monitor 26. In particular, the traffic 
analyzer 32 of the management module analyzes the traffic 
data contained within the real-time feedback signal 38 to 
generate the real-lime feedback results. Preferably, the man- 
agement module generates customized results from the 
traffic data within the real-time feedback signal 38 by 
performing module-specific calculations using the more 
genera] network data contained within the real-time feed- 
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back signal 38. In the alternative, if the traffic monitor 26 has provided in the real-time feedback signal 38 to generate 

enough sophistication to provide the customized results customized results for the input scheduler 16. Alternatively, 

directly, the management module sends requests for the the input scheduler 16 sends a request signal 40 to the traffic 

results, and the real-time feedback signal is generated in monitor 26 to request traffic data in a customized form, and 

response to such requests. s the traffic monitor 26 responds with the customized results 

In step 80, the management module determines whether stored within the real-time feedback signal 38. 
an adjustment to its operation is needed. For example, the in step 80, the input scheduler 16 determines whether to 
management module may compare the generated network continue with the present queue assignments and the present 
traffic results to a set of particular TOS goals to determine queue sizes depending upon whether particular QoS goals 
whether the management module is achieving these TOS 30 for the input scheduler 16 have been achieved. For example, 
goals. If no adjustment is needed (e.g., if the QoS goals are the input scheduler 16 may have a QoS goal of providing 
achieved), step 80 proceeds back to step 74. If an adjustment 25% of the output scheduler's bandwidth to general data 
is needed (e.g., if the QoS goals are not achieved), step 80 packets. If the real-time feedback results indicate that the 
proceeds to step 82. data communications device 10 has achieved the QoS goals, 
In step 82, the management module adjusts the control is the input scheduler 16 proceeds back to step 74. Otherwise, 
parameters (initialized in step 72) according to the one or the input scheduler 16 proceeds to step 82. 
more algorithms based on the real-time feedback results. In step 82, the input scheduler 16 adjusts the control 
Such adjustments typically improve the data communica- parameters according to one or more algorithms and real- 
tions device's ability to attain the particular TOS goals for time feedback results in an attempt to achieve the QoS goals, 
the management module. Then, step 82 proceeds back to 20 For example, suppose the input scheduler 16 fails to achieve 
step 74. the goal of providing 25% of the output scheduler's band- 
When the data communications device 10 is in normal width to general data packets even though the queue 
operation, the management module may perform several assigned to general data packets is generally full and the 
iterations of the steps of procedure 70. Through each other queues are generally empty. In such a situation, the 
iteration, the management module ensures that the data 2S input scheduler 16 runs an algorithm on this traffic data and 
communications device 10 operates in such a manner that determines that the failure may be due to the discarding of 
the TOS goals are likely to be achieved. As the character- general data packets due to congestion at the output scbed- 
istics of the oulputted network traffic change (i.e., the uler 24 (resulting from high network traffic in the network 
packets 14 transmitted from the output scheduler 24), the 12). Accordingly, the algorithm of the input scheduler 16 
data communications device 10 dynamically alters its opera- 30 may direct the input scheduler 16 to increase the queue size 
tion to accommodate such changes. of the queue responsible for temporarily storing general data 
A further explanation will now be provided for each of the packets (e.g., queue 30-B) since buffering the general data 
different network packet management modules 16, 18, 20 packets, in contrast to discarding general data packets, 
beginning with the input scheduler 16. In particular, separate increases the likelihood that the packets will be transmitted 
examples are provided of each management module 16, 18, 35 successfully. 

20 in the context of a data communications device 10 that The input scheduler 16 then returns to step 74, and 

supports a variety of QoS classes (e.g., video, audio, general schedules newly aniving packets 14 in the queue structure 

data and best effort). 28 based on the adjusted control parameters. Over time, the 

Input Scheduler Example proceduire 70 may loop through steps 74-82 several times 

In step 72, the input scheduler 16 initializes a set of 40 such that the input scheduler 16 changes its operation 
control parameters controlling the manner in which packets dynamically over time in response to variations in the 
are placed within the queue structure 28. In particular, the set network traffic passing through the data communications 
of control parameters assigns a particular packet class to device 10. For example, suppose that the network conges- 
each queue 30 and controls the size of each queue 30. By tion clears a few minutes later. At that time, the input 
way of example, packets 14 of the best effort class are 45 scheduler 16 may determine that the larger queue size is no 
assigned to queue 30-A of the queue structure 28. General longer necessary and reclaim some space in the memory 22. 
data packets are assigned to queue 30-B. Audio packets are In one embodiment, the input scheduler 16 determines 
assigned to queue 30-C. Video packets are assigned to queue whether a control parameter adjustment should be made 
30-D. The queue sizes can be set such that the queue (step 80) approximately every minute (60 seconds), 
structure 28 can store an equal number of best effort, general so Since such changes occur in an automated manner in 
data, audio and video packets. response to the real-time feedback signal 38, rather than in 

In step 74, the input scheduler 16 performs its function of response to human intervention (such as by a network 

scheduling packets 14 within the queue structure 28. For administrator) over extended and perhaps protracted periods 

example, as network packets 14 arrive at the data commu- of time, the input scheduler 16 provides for superior network 

nications device 10, the input scheduler 16 stores all packets 55 packet scheduling. In particular, the input scheduler 16 is 

of the best effort class in queue 30-A, all packets of the capable of adapting and adjusting its operation to short and 

general data class in queue 30-B, and so on. perhaps subtle changes in network traffic in time frames that 

In step 76, the input scheduler 16 determines whether it are orders of magnitude shorter than conventional tech- 
should continue scheduling network packets 14. For niques requiring either human intervention or techniques 
example, a shutdown signal received by the data commu- 60 that focus onlu on traffic arrival patterns from the network, 
nications device 10 may cause the input scheduler 16 to Such changes would go unnoticed by conventional tech- 
terminate its packet scheduling operation. niques that collect U^afBc data over extended time periods. 

In step 78, the input scheduler 16 receives customized Reorder Manager Example 
real-time feedback results that are based on traffic data A further explanation of the operation of the reorder 

accumulated by the traffic monitor 26. In particular, the 65 manager 18 in the context of QoS classes will now be 

traffic analyzer 32-IS (i.e., the controller 34-lS in conjunc- provided with reference to FIG. 4. In step 72, the reorder 

tion with the memory 36-IS) operates on general traffic data manager 18 initializes a set of control parameters which 
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control the order of the queues 30 within the queue structure 
28. As such, the control parameters effectively control the 
priority of QoS classes handled by the data communications 
device 10, By way of example, network packets of the best 
effort class initially are given the lowest priority and 
assigned to queue 30-A of the queue structure 28. General 
data packets initially are given the a higher priority and 
assigned to queue 30-B. Audio packets initially are given a 
higher priority and assigned to queue 30-C. Video packets 
initially are given the highest priority and assigned to queue 
30-D. 

In step 74, the reorder manager 18 orders the queues 30 
within the queue structure 28 based on the control param- 
eters initialized in step 72. For example, the reorder manager 
18 orders queue 30-D first to give the video QoS class the 
highest priority, followed by queue 30-C for the audio QoS 
class, queue 30-B for the general data QoS class, and queue 
30-A for the best effort QoS class. 

In step 76, the reorder manager 18 determines whether it 
should continue to order the queues 30. A shutdown signal 
received by the data communications device 10 would cause 
the reorder manager 18 to terminate its queue ordering 
operation. Otherwise, the reorder manager 18 proceeds to 
step 78. 

In step 78, the reorder manager 18 receives customized 
real-time feedback results that are based on traffic data 
monitored by the traffic monitor 26. In particular, the traffic 
analyzer 32-RM (i.e., the controller 34-RM in conjunction 
with the memory 36-RM) operates on general traffic data 
provided in the real-time feedback signal 38 to generate 
customized results for the reorder manager 18. Alternatively, 
the reorder manager 18 sends a request signal 40 to the 
traffic monitor 26 to request traffic data in a customized 
form, and the traffic monitor 26 responds with the custom- 
ized results stored within the real-time feedback signal 38. 

In step 80, the reorder manager 18 determines whether 
particular QoS goals for the reorder manager 18 have been 
achieved. For example, the reorder manager 18 may have a 
QoS goal of providing 25% of the output scheduler's 
bandwidth to general data packets. If the real-time feedback 
results indicate that the reorder manager 18 meets this goal, 
the reorder manager 18 proceeds to step 74. Otherwise, the 
reorder manager 18 proceeds to step 82. 

In step 82, the reorder manager 18 adjusts its control 
parameters according to one or more algorithms and the 
real-time feedback results. For example, the reorder man- 
ager 18 may use an anti-starvation algorithm to promote any 
QoS classes that are prevented from transmitting due to 
other QoS classes overutilizing the output sheduler 24. In 
this situation, the anti-starvation algorithm may reprioritize 
the queues 30, at least temporarily, to allow packets of the 
non-transmitting QoS class (i.e., the starved class) to trans- 
mit. 

As another example, in step 82, if the real-time feedback 
results indicate that 20% of the output scheduler's band- 
width is general data packets and a reorder manager algo- 
rithm indicates that 25% bandwidth for general data packets 
can be achieved by re-prioritizing the list of traffic classes 
such that, at least temporarily, general data is given a higher 
priority than audio packets, the reorder manager 18 adjusts 
the control parameters accordingly. That is, the reorder 
manager 18 swaps the priority of the general data QoS queue 
(queue 30-B) and the audio QoS queue (queue 30-C) on its 
prioritization list such that the general data QoS queue is 
given higher priority. Similarly, if the real-time feedback 
results indicate that only 5% of the output scheduler's 
bandwidth is general data packets, the reorder manager 
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algorithm may instruct the reorder manager 18 to take more 
drastic measures such as giving the audio QoS queue (queue 
30-C) a higher priority than the video QoS queue (queue 
30-D). 

5 The reorder manager 18 then returns to step 74, and 
schedules newly arriving packets 14 in the queue structure 
28 based on the adjusted control parameters. Over lime, the 
procedure 70 may loop through steps 74-82 several times 
such that the reorder manager 18 changes its operation 
dynamically over time in response to variations .in the 
network traffic passing through the data communications 
device 10. In one embodiment, the reorder manager 18 
determines whether a control parameter adjustment should 
be made (step 80) approximately every 5 to 10 seconds. 
Since such changes occur in response to a real-time feed- 
back signal rather than in response to human intervention 
(such as by a network administrator) over extended and 
perhaps protracted periods of time, the reorder manager 18 
provides superior reordering. In particular, the reorder man- 
ager 18 is capable of adapting and adjusting its operation to 

20 short and perhaps subtle changes in network traffic in time 
frames that are orders of magnitude shorter than conven- 
tional techniques requiring hiunan intervention or rely on 
traffic arrival patterns into the data communications device 
from the network. 

25 Discard Manager Example 

A further explanation of the operation of the discard 
manager 20 will now be provided with reference to RG. 4. 
In step 72, the discard manager 20 initializes a set of control 
parameters that control the discarding of network packets 14 

30 &om the queue structure 28. By way of example, the control 
parameters direct the discard manager 20 to discard all best 
effort packets before discarding all other packets. 
Additionally, the control parameters direct the discard man- 
ager 20 to discard general data packets prior to discarding 

35 audio packets, and then to discard audio packets prior to 
discarding video packets. 

In step 74, the discard manager 20 discards packets from 
one or more of the queues 30 if any of the queues 30 become 
filled. For example, suppose that the best effort QoS queue 

40 (e.g., queue 30-A) becomes filled. In response, the discard 
manager 20 discards packets from the best effort queue 
(queue 30-A). 

In step 76, the discard manager 20 determines whether it 
should continue to operate. For example, a shutdown signal 
45 received by the data communications device 10 would cause 
the discard manager 20 to terminate its queue ordering 
operation. Otherwise, the discard manager 20 proceeds to 
step 78. 

In step 78, the discard manager 20 receives customized 

50 real-time feedback results that are based on traffic monitored 
by the traffic monitor 26. In particular, the traffic analyzer 
32- DM (i.e., the controller 34-DM in conjunction with the 
memory 36-DM) operates on general traffic data provided in 
the real-time feedback signal 38 to generate customized 

55 results for the discard manager 20. Alternatively, the discard 
manager 20 sends a request signal 40 to the traffic monitor 
26 to request traffic data in a customized form, and the traffic 
monitor 26 responds with the customizes results stored 
within the real-time feedback signal 38. 

60 In step 80. the discard manager 20 determines whether 
particular QoS goals for the discard manager 20 have been 
achieved. For example, the discard manager 20 may have a 
QoS goal of providing 30% of the output scheduler's 
bandwidth to video data packets. If the real-time feedback 

65 results indicate that the discard manager 20 meets this goal, 
the discard manager 20 proceeds to step 74. Otherwise, the 
discard manager 20 proceeds to step 82. 



01/05/2004. EAST version: 1,4.1 



us 6,4^ 

15 

In step 82, the discard manager 18 adjusts its set of control 
parameters according to a discard algorithm and the real- 
time feedback results in signal 38 (see FIG. 1). For example, 
if the real-time feedback results indicate that only 25% of the 
output scheduler's bandwidth is video data packets, 5% 
short of the QoS goal of 30% for video packet bandwidth, 
the discard manager 20 adjusts the control parameters such 
that some non-video packets are discarded to make more 
bandwidth available to video packets. By way of example, 
suppose that the discard algorithm determines that the 
discard manager 20 should discard packets from the queue 
assigned to receive best effort packets (queue 30-A) in an 
attempt to raise the video packet bandwidth above 30%. 
Accordingly, the discard manager 20 adjusts the control 
parameters to allow discarding of best effort packets from 
the queue structure 28. Step 82 then proceeds back to step 
74. 

In step 74, the discard manager 20 discards best effort 
packets from the queue structure 28. The effect of such 
discarding will be sensed by the traffic monitor 26 and cause 
a change in the trafEc data within the real-time feedback 
signal 38 which is sent to the discard manager 20. 
Accordingly, a feedback loop is formed that enables the 
discard manager 20 to dynamically control discarding of 
packets using the real-time feedback signal 38. In one 
embodiment, the discard manager 20 determines whether a 
control parameter adjustment should be made (step 80) 
approximately every second. No human intervention is 
required. 
Traffic Analyzer 

FIG. 5 shows a procedure 90 performed by each of the 
traffic analyzers 32-IS, 32-RM, and 32-DM demonstrating 
that traffic analyzer's ability to generate different types of 
performance measures (e.g., rate data) and optimality data 
based on the traffic data stored within the real-time feedback 
signal 38. In step 92, the traffic analyzer 32 receives traffic 
data within the real-time feedback signal 38. In step 94, the 
traffic analyzer 32 generates rate data based on the traffic 
data (e.g., rale data). In step 96, the traffic analyzer 32 
provides the rate data to the management module (e.g., the 
discard manager 20). 

Subsequent performance of procedure 90 by the same 
traffic analyzer 32 may generate a different type of perfor- 
mance measure or optimality data (e.g., step 94-B rather 
than step 94-A). Accordingly, different types of data can be 
provided to the management modules 16, 18, 20 for use in 
managing network packets 14. 

As a resuh, any management module of the data commu- 
nications device 10 may operate based on a variety of data 
and algorithms for scheduling, reordering and discarding. 
FIG. 6 shows a procedure 100 including such operation of 
the data communications device 10. In step 102-1, a par- 
ticular management module 16, 18, 20 of the data commu- 
nications device 10 performs a module function based on a 
first type of data (e.g., the discard manager 20 discards 
packets 14 based on rate data). In step 102-2, that manage- 
ment module performs a modide function based on a second 
type of data that is different than the first type of data (e.g., 
the discard manager 20 discards packets 14 based on overall 
throughput). In step 102-N, the management module per- 
forms a module function based on another type of data (e.g., 
the discard manager 20 discards packets 14 based on per- 
centage bandwidth or the number of contiguous packets of 
a particular type seen by the traffic monitor 26). Accordingly, 
the management modules 16, 18, 20 of the data communi- 
cations device 10 have the flexibility and dynamic operation 
to optimally manage packets. 



19,255 Bl 

16 

FIG. 7 shows a different embodiment of the invention 
device than that shown in FIG. 1. In particular, FIG. 7 shows 
a data commimications device 110 that includes a central 
U'affic analyzer 122 for analyzing traffic data stored within 

5 the real-time feedback signal 38. The central traffic analyzer 
122 includes a control module 124 and memory 126. The 
central traffic analyzer 122 operates to provide traffic data in 
a manner similar to the traffic analyzers 32 of FIG. 1. 
However, the centralization of the traffic analyzer 122 pro- 

10 vides a benefit of reducing hardware since the centralized 
circuitry can be shared (e.g., in a multiplexed manner) 
between the various management modules. 

For either the data communications device 10 (see FIG. 1) 
or the data communications device 110 (RG. 7), a real-time 

IS feedback signal, containing an immediate and up-to-date 
analysis of network traffic data, is used to enable the device 
10, 110 to make dynamic adjustments. Accordingly, such 
adjustments are based on current traffic conditions rather 
than out-dated conditions. This allows the invention devices 

20 to make adjustments that are superior to conventional adjust- 
ment techniques that use traffic data collected over extended 
periods of time such as hours or even days. Furthermore, no 
human intervention is required to make the adjustments for 
the invention devices. That is, such adjustments are made in 

25 an automatic and routine manner alleviating the need for 
human intervention. 

EQUIVALENTS 

While this invention has been particularly shown and 

■'^ descnbed with references to preferred embodiments thereof, 
it will be understood by those skilled in the art that various 
changes in form and details may be made therein without 
departing from the spirit and scope of the invention as 
defined by the appended claims. 

For example, it should be understood that the above- 
discussed invention data commimications devices can be 
any type of network related device that receives and trans- 
mits data packets. In particular, the data communications 

^ devices 10, 110 can be routers, bridges, switches, access 
servers, gateways, hubs, proxy servers, repeaters, and so 
forth which exchange data over an interconnection of data 
links. The data links may be physical cables (e.g., electrical 
or fiber optic connections) or wireless communication 
mechanisms (e.g., cellular telephony equipment). Such data 
communications devices can be general purpose computers 
such as personal computers, workstations, minicomputers, 
mainframes and the like running specialized network 
software, or specialized hardware such as cellular base 
stations, web-site kiosks, facsimile or e-mail servers, video 
servers, and so forth. 

In the context of devices with multiple inputs or outputs, 
it should be understood that the elements shown in FIGS. 1 
and 7 apply to individual outputs of such devices. For 
example, for a router with multiple inputs and outputs, the 
elements of FIG. 1 illustrate the portions of the router that 
operate for a particular output of the router. Other outputs of 
the router would have similar elements or may share a 
centralized component. 

60 Additionally, the data communications devices of the 
invention can be used with various network protocols and 
with various network types. In particular, networks environ- 
ments having data rates such as fractional Tl, Tl, El or 
higher or lower, are suitable for the invention. 

65 Furthermore, various media are suitable for carrying the 
real-time feedback signal 38 (see FIGS. 1 and 7). The signal 
38 may be digital, analog, modulated (AM or FM) or spread 
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Spectrum wireless (e.g., CDMA). Additionally, the media discard manager 20, and perhaps other modules using the 

can be electrical, optical or wireless. real-time feedback signal 38. can be based on a variety of 

Moreover, the iraflSc analyzer 32, 122 and/or the traffic metrics. In one embodiment, the real-time feedback signal 

monitor 26 may be external to the data communications indicates, and these modules use, as metrics, at least one 

device 10, 110. That is, a conventional data communications 5 of a maximum packet size for each of the multiple packet 

device and a conventional traffic monitor can be adapted Masses, a minimum packet size for each of the multiple 

such that the traffic monitor provides a real-time feedback P^^!^^^ classes, a mean packet size for each of the multiple 

signal rather than simple dau for storage and post- Packelc asses, a maxunumpadcet size for all of them 

processing. Similarly, a ^nventional data communications P'^^!^^^ P^f ^^^^ 

device ca^ be adaptLl to receive real-time results as input. lO l'^^ f,^l' ^ T.^JZ l I f T^^^^^ 

Tn. * «r 1 1 .1. rt- J .1 packet classes, a maximum number of contiguous bits for 

m traffic analyzer then analyzes the traffic data contamed of the multiple packet classes, a minimSn number of 

withm the real-ume signal and generates real-tune results contiguous bits for each of the multiple packet classes, a 

that enable the data commumcations device to make mean number of contiguous bits for each of the multiple 

dynamic adjustments. Accordmgly, human intervention is packet classes, a maximum number of contiguous bits for all 

not required to make adjustments, and such adjustments arc 35 of the multiple packet classes, a minimum number of 

made automatically in a timelier manner. contiguous bits for all of the multiple packet classes, and a 

Additionally, it should be understood that the data com- mean number of contiguous bits for all of the multiple 

munications device may include other management modules packet classes. Other similar traffic-related metrics can be 

(e.g., other modules in addition to the input scheduler 16, the y^ed as well, and arc intended to be v^ithin the scope of the 

reorder manager 18 and the discard manager 20), and that inventioii. 

such modules may operate according to one or more algo- ^hai is clainaed is: 

rilhms using the real-time feedback results derived from the method for managing packets in a data communica- 

real-time feedback signal as an input. Accordingly, adjust- '^^^'^^ a memory, the method comprising the 

menis to the operation of the modules are based, at least ^^^^ . , .... 

partially, on the real-time feedback signal. 25 transmitUng an initial set of packets from the data com- 

I* u u J . J • r mumcations device; 

It should be understood that it is unnecessary for each -.^ • » • • r .i_ • i r *^ 

. . J- * ♦u 1 monitonng transmission of the mitial set of the packets 

management module to operate accordmg to the real-time ^^^^ commumcations device, and pro>dding a 

feedback signal. Rather, at least one management module ^eal-time feedback signal indicating transmission infor- 

operates accordmg to the real-tune feedback signal. Some or nation regarding the initial set of packets; 

all of the management modules may use conventional algo- manipulating a new set of packets within the memory of 

nlhms to determine operation. However, at least one of the j^ta communications device based on the real-time 

management modules uses an algorithm that takes the feedback signal; and 

generated real-time feedback data as an input. To rcduce the transmitting the n^w set of packets from the data com- 

complexity of havmg to crcate new algorithms, conventional munications device based on how the new set of 

algorithms can be used wherc a normally non-real-time packets was manipulated within the memory of the data 

input is replaced with the real-time feedback results. communications device. 

Furthermore, it should be understood that the real-time 2. The method of claim 1 wherein each packet belongs to 

feedback signal 38 is preferably sent automatically from the one of multiple packet classes, and wherein the step of 

traffic monitor 26. In this situation, there is no need for the ^ monitoring and providing includes the step of: 

traffic monitor 26 to receive a request signal 40. generating the real-time feedback signal to indicate trans- 

As an alternative, if the traffic monitor 26 is a sophisti- mission levels of the multiple packet classes for the 

cated device capable of providing customized results, the initial set of packets. 

traffic monitor 26 waits for the request signal 40 to identify 3. The method of claim 2 wherein the memory of the data 

a particular type customized result and then sends the 45 communications device stores a queue structure, and 

real-time feedback signal 38 in response to the request 40. wherein the step of manipulating includes the step of: 

In this simation, the requests 40 are regular in nature such scheduling a packet of the new set of packets in the queue 

that the real-time feedback signal 38 is provided routinely strucmre based on the transmission levels of the mul- 

enabling the data communications device to maintain packet tiple packet classes for the initial set of packets, as 

management under dynamic control. jq indicated by the real-time feedback signal. 

Furthermore, it should be understood that the procedure 4. The method of claim 2 wherein the memory of the data 

70 (see FIG. 4) can be modified such that the control communications device stores a queue structure, and 

parameters of the management module are adjusted regard- wherein the step of manipulating includes the step of: 

less of whether the data communications device presently reordering queues within the queue sUiicture when the 

achieves its TOS requirements (e.g.. QoS goals). 55 transmission levels of the multiple packet classes for 

Accordingly, performance improvements arc attempted con- the initial set of packets, as indicated by the real-time 

tinuously. feedback signal, cause the data communications device 

Additionally, it should be understood that classes other to detect a reorder condition, 

than QoS classes are suitable TOS for the invention. For 5. The method of claim 2 wherein the memory of the data 

example, dedicated TOS classes can be established for go communications device stores a queue structure, and 

particular events such as a scheduled point-to-point audio/ wherein the step of manipulating includes the step of: 

video conference or a scheduled pay-per-view event. In such discarding a packet of the new set of packets from the 

situations, data communication devices along a path of the queue structure when the transmission levels of the 

network 12 operate to provide a customized TOS between multiple packet classes for the initial set of packets, as 

the source and destination for each event. 65 indicated by the real-time feedback signal, cause the 

Furthermore, it should be understood that the operations data communications device to delect a discard condi- 

of the input scheduler 16, the reorder manager 18, the tion. 
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6. The method of claim 2 wherein the memory of the data 
communications device stores a queue structure, and 
wherein the step of manipulating includes the steps of: 

scheduling each of the new set of packets in the queue 
structure based on the transmission levels of the miil- 
tiple packet classes for the initial set of packets, as 
indicated by the real-time feedback signal; 

reordering queues of the queue structure when the trans- 
mission levels of the muUiple packet classes for the 
initial set of packets, as indicated by the real-time 
feedback signal, cause the data communications device 
to detect a reorder condition; and 

discarding a packet of the new set of packets from the 
queue structure when the transmission levels of the 
multiple packet classes for the initial set of packets, as 
indicated by the real-time feedback signal, cause the 
data communications device to detect a discard condi- 
tion. 

7. The method of claim 2 wherein each packet includes a 
bit pattern indicative of one of the multiple packet classes, 
and wherein the step of monitoring and providing includes 
the step of: 

sampling packets from the initial set of packets; 

recognizing, for each sampled packet, a bit pattern of that 
packet, and updating a set of data structures based on 
the recognized bit pattern of that packet, the data 
structures respectively corresponding to the multiple 
packet classes; and 

generating the real-time feedback signal based on the 
updated set of data structures such that the real-time 
feedback signal is indicative of the transmission levels 
of the multiple packet classes for the initial set of 
packets. 

8. The method of claim 7 wherein the real-time feedback 
signal indicates a bit count for each of the multiple packet 
classes, and a total bit count; and wherein the method further 
comprises the step of: 

providing a bit rate for each of the multiple packet classes 
based on the bit count for each of the multiple packet 
classes and the total bit count such that the new set of 
packets are manipulated based on the bit rate for each 
of the multiple packet classes. 

9. The method of claim 2, further comprising the step of: 
generating, prior to the step of monitoring and providing, 

a request signal for information regarding the transmis- 
sion levels of the multiple packet classes for the initial 
set of packets. 

10. The method of claim 9 wherein the step of monitoring 
and providing includes the step of: 

generating the real-lime feedback signal in response to the 
request signal. 

11. A data communications device, comprising: 

a storage and transmission circuit that stores and transmits 
packets; 

a trafiBc monitor, coupled to the storage and transmission 
circuit, that monitors packet transmissions from the 
storage and transmission circuit, and generates a real- 
time feedback signal indicating packet transmission 
information; and 

a control circuit, coupled to the storage and transmission 
circuit and the trafQc monitor, that manipulates packets 
within the storage and transmission circuit based on the 
real-time feedback signal, the storage and transmission 
circuit transmitting packets based on how the packets 
are manipulated by the control circuit. 
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12. The data communications device of claim 11 wherein 
each packet belongs to one of multiple packet classes, and 
wherein the trafiGc monitor includes: 

a controller that generates the real-time feedback signal to 
5 indicate transmission levels of the multiple packet 
classes for packets transmitted from the storage and 
transmission circuit. 

13. The data communications device of claim 12 wherein 
the storage and transmission circuit includes a memory that 
stores a queue slruaure, and wherein the control circuit 
includes: 

an input scheduler having a first input that receives 
packets, a second input that receives the real-time 
feedback signal, and an output that schedules the 
received packets in the queue structure based on the 
transmission levels of the multiple packet classes, as 
indicated by the real-time feedbadc signal. 
14- The data communications device of claim 12 wherein 
the storage and transmission circuit includes a memory that 
stores a queue structure, and wherein the control circuit 
includes: 

a reorder manager having an input that receives the 
real-time feedback signal, and an output that reorders 
queues within the queue structure when the transmis- 
^ sion levels of the multiple packet classes, as indicated 
by the real-time feedback signal, cause the reorder 
manager to detect a reorder condition. 

15. The data communications device of claim 12 wherein 
the storage and transmission circuit includes a memory that 
stores a queue structure, and wherein the control circuit 
includes: 

a discard manager having an input that receives the 
real-time feedback signal, and an output that discards a 
packet from the queue structure when the transmission 
3^ levels of the multiple packet classes, as indicated by the 
real-time feedback signal, cause the discard manager to 
detect a discard condition. 

16. The data communications device of claim 12 wherein 
the storage and transmission circuit includes a memory that 

^ stores a queue structure, and wherein the control circuit 
includes: 

an input scheduler having a first input that receives 
packets, a second input that receives the real-time 
feedback signal, and an output that schedules the 
45 received packets in the queue structure based on the 
transmission levels of the multiple packet classes, as 
indicated by the real-time feedback signal; 
a reorder manager having an input that receives the 
real-time feedback signal, and an output that reorders 
50 queues of the queue structure when the transmission 
levels of the multiple packet classes, as indicated by the 
real-time feedback signal, cause the reorder manager to 
detect a reorder condition; and 
a discard manager having an input that receives the 
55 real-time feedback signal, and an output that discards a 
packet from the queue simcmre when the transmission 
levels of the multiple packet classes, as indicated by the 
real-time feedback signal, cause the discard manager to 
detect a discard condition. 
60 17. The data communications device of claim 16 wherein 
the input scheduler, the reorder manager and the discard 
manager use respective instances of the real-time feedback 
signal to operate asynchronously relative to each other. 
18. The data communications device of claim 16 wherein 
65 the input scheduler, the reorder manager and the discard 
manager use a same instance of the real-time feedback 
signal when in operation. 
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19. The data communications device of claim 12 wherein bits for each of the multiple packet classes, a minimum 
each packet includes a bit pattern indicative of one of the number of contiguous bits for each of the multiple packet 
multiple packet classes, and wherein the traffic monitor classes, a mean number of contiguous bits for each of the 
includes: multiple packet classes, a maximum number of contiguous 

a pattern recognizer that (i) samples packets transmitted s bits for all of the multiple packet classes, a minimum 

from the storage and transmission circuit, and (ii) "J^^'^' of contiguous bits for all of the multiple packet 

recognizes, for each sampled packet, a bit pattern of ^^^'J^LTcl^T of contiguous bits for all of the 

that packet; and 22. Jhc data communications device of claim 12 wherein 

a controller, coupled to the pattern recognizer, that (i) the control circuit includes: 
updates, for each sampled packet, a set of data struc- ^° a control module that generates a request signal for 

tures based on the recognized bit pattern of that packet, information regarding the transmission levels of the 

the data structures respectively corresponding to the multiple packet classes. 

multiple packet classes, and (ii) generates the real-lime 23. The data communications device of claim 22 wherein 

feedback signal based on the updated set of data the traffic monitor includes: 

structures such that the real-lime feedback signal is a controller having an input thai receives the request 
indicative of the transmission levels of the multiple signal, and an output that provides the real-time feed- 
packet classes. b^ck signal in response to the request signal. 

20. The data communications device of claim 19 wherein 24. The method of claim 1 wherein the step of providing 
the real-lime feedback signal indicates a bit count for each a real-time feedback signal further includes the step of 
of the multiple packet classes, and a lotal bit count; and ^° generating customized data to send as said feedback signal, 
wherein the control circuit includes: 25. The method of claim 24 wherein said data commu- 

a traffic analyzer that receives the real-time feedback nications device has a plurality of management functions 

signal and provides a bit rate for each of the multiple and said step of generating customized data includes the step 
packet classes based on the bit count for each of the ^ of generating data customized to a particular management 

multiple packet classes and the total bit count such that function. 

packets are manipulated within the storage and trans- 26. The method of claim 24 wherein said step of gener- 

mission circuit based on the bit rate for each of the ating customized data further includes generating data cus- 

multiple packet classes. tomized to achieve a type of service goal. 

21. The data commimications device of claim 12 wherein 27. The data communications device of claim 11 further 
the real-lime feedback signal indicates, as metrics, at least comprising a plurality of management modules, each said 
one of a maximum packet size for each of the multiple management module having a particular data management 
packet classes, a minimum packet size for each of the function, and wherein the traffic monitor further includes a 
multiple packet classes, a mean padcet size for each of the controller that generates a real-time feedback signal of 
multiple packet classes, a maximum packet size for all of the customized data, said data customized to the particular 
multiple packet classes, a minimum packet size for all of the function of one of said management modules. 

multiple packet classes, a mean packet size for all of the 

multiple packet classes, a maximum number of contiguous * * ♦ * * 
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